deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-27 08:13:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

new build

Browse Source
This commit is contained in:
Brian Lich
2016-03-31 09:25:25 -07:00
parent c8224c60e7
commit edb7f5a067
233 changed files with 5429 additions and 4656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
windows/deploy/TOC.md
View File

@ -1,42 +1,42 @@
# [Deploy Windows 10](index.md)
## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
#### [Key features in MDT 2013 Update 1](key-features-in-mdt-2013.md)
#### [MDT 2013 Update 1 Lite Touch components](mdt-2013-lite-touch-components.md)
#### [Prepare for deployment with MDT 2013 Update 1](prepare-for-deployment-with-mdt-2013.md)
### [Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
### [Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
#### [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
#### [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
### [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
### [Configure MDT settings](configure-mdt-2013-settings.md)
#### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md)
#### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
#### [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
#### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
#### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
#### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
#### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
#### [Use web services in MDT](use-web-services-in-mdt-2013.md)
#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)
## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-81-with-system-center-2012-r2-configuration-manager.md)
### [Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md)
### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
### [Monitor the Windows 10 deployment with Configuration Manager](monitor-the-windows-81-deployment-with-configuration-manager.md)
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Windows 10 edition upgrade](windows-10-edition-upgrades.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go-in-your-organization-small-scenario.md)
## [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
## [Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md)
## [Volume Activation [client]](volume-activation-windows-10.md)
@ -94,7 +94,7 @@
##### [Migrate User Accounts](migrate-user-accounts-usmt.md)
##### [Reroute Files and Settings](reroute-files-and-settings-usmt.md)
##### [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
#### [User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
#### [User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
##### [Common Issues](common-issues-usmt-win8.md)
##### [Frequently Asked Questions](frequently-asked-questions-usmt-win7-usmt-win8.md)
##### [Log Files](log-files-usmt-win7-usmt-win8.md)

18
windows/deploy/add-a-windows-81-operating-system-image-using-configuration-manager.md → windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft System Center 2012 R2 Configuration Manager, and how to distribute the image to a distribution point.
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md).
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard, as the distribution point. CM01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). Our image is named REFW10-X64-001.wim. For details on building this image, please see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
1. Using File Explorer, in the **E:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
@ -47,23 +47,23 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

18
windows/deploy/add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md → windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## <a href="" id="sec01"></a>Add drivers for Windows PE
@ -84,23 +84,23 @@ Figure 23. Drivers imported and a new driver package created.
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

4
windows/deploy/assign-applications-using-roles-in-mdt-2013.md
View File

@ -142,9 +142,9 @@ Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Use web services in MDT](use-web-services-in-mdt-2013.md)

14
windows/deploy/build-a-distributed-environment-for-windows-81-deployment.md → windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -34,7 +34,7 @@ Robocopy has options that allow for synchronization between folders. It has a si
 
### Linked deployment shares in MDT 2013 Update 1
### Linked deployment shares in MDT 2013 Update 2
LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
@ -120,7 +120,7 @@ When you have multiple deployment servers sharing the same content, you need to
```
**Note**  
The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md).
The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
 
@ -289,15 +289,15 @@ Now you should have a solution ready for deploying the Windows 10 client to the
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

2
windows/deploy/common-issues-usmt-win8.md
View File

@ -289,7 +289,7 @@ You should also reboot the machine.
## Related topics
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
[Frequently Asked Questions](frequently-asked-questions-usmt-win7-usmt-win8.md)

4
windows/deploy/configure-mdt-2013-for-userexit-scripts.md
View File

@ -63,9 +63,9 @@ The purpose of this sample is not to recommend that you use the MAC Address as a
[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

16
windows/deploy/configure-mdt-2013-settings.md
View File

@ -29,9 +29,9 @@ Figure 1. The machines used in this topic.
- [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)
@ -42,17 +42,17 @@ Figure 1. The machines used in this topic.
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
 

6
windows/deploy/configure-mdt-deployment-share-rules.md
View File

@ -90,7 +90,7 @@ To avoid assigning a computer name longer than 15 characters, you can configure
Priority=Default
[Default]
OSInstall=YES
OSDComputerName=PC-#Left(?%SerialNumber%?,12)#
OSDComputerName=PC-#Left("%SerialNumber%",12)#
```
In the preceding sample, you still configure the rules to set the computer name to a prefix (PC-) followed by the serial number. However, by adding the Left VBScript function, you configure the rule to use only the first 12 serial-number characters for the name.
@ -117,9 +117,9 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

20
windows/deploy/create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md → windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
View File

@ -16,9 +16,9 @@ author: CFaw
- Windows 10
In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 1 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 2 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## <a href="" id="sec01"></a>Add DaRT 10 files and prepare to brand the boot image
@ -89,23 +89,23 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

20
windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md
View File

@ -18,7 +18,7 @@ author: CFaw
In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## <a href="" id="sec01"></a>Create a task sequence using the MDT Integration Wizard
@ -169,23 +169,23 @@ While creating the task sequence with the MDT wizard, a few operating system dep
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

29
windows/deploy/create-a-windows-81-reference-image.md → windows/deploy/create-a-windows-10-reference-image.md
View File

@ -16,9 +16,14 @@ author: CFaw
- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 1. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof).
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
**Note**  
For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof).
 
![figure 1](images/mdt-08-fig01.png)
@ -83,7 +88,7 @@ Figure 3. Permissions configured for the MDT\_BA user.
## <a href="" id="sec02"></a>Add the setup files
This section will show you how to populate the MDT 2013 Update 1 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
This section will show you how to populate the MDT 2013 Update 2 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
### Add the Windows 10 installation files
@ -253,7 +258,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2005 SP1
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 ? x64"
$ApplicationName = "Install - Microsoft Visual C++ 2005 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2005SP1x64"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
@ -285,7 +290,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2008 SP1
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 ? x64"
$ApplicationName = "Install - Microsoft Visual C++ 2008 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2008SP1x64"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -Commandline $Commandline -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
@ -317,7 +322,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2010 SP1
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 ? x64"
$ApplicationName = "Install - Microsoft Visual C++ 2010 SP1 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2010SP1x64"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
@ -349,7 +354,7 @@ In these steps we assume that you have downloaded Microsoft Visual C++ 2012 Upda
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` syntax
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 ? x64"
$ApplicationName = "Install - Microsoft Visual C++ 2012 Update 4 - x64"
$CommandLine = "vcredist_x64.exe /Q"
$ApplicationSourcePath = "E:\Downloads\VC++2012Ux64"
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName
@ -835,15 +840,15 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

18
windows/deploy/create-an-application-to-deploy-with-windows-81-using-configuration-manager.md → windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
Microsoft System Center 2012 R2 Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in System Center 2012 R2 Configuration Manager that you later configure the task sequence to use.
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use CM01, a machine running Windows Server 2012 R2 Standard that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
**Note**  
Even though the new application model is fully supported to deploy via the task sequence, the most reliable way to deploy software via the task sequence is still the legacy packages, especially if you deploy many applications.
@ -74,23 +74,23 @@ The steps below show you how to create the Adobe Reader XI application. This sec
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

45
windows/deploy/deploy-a-windows-81-image-using-mdt-2013.md → windows/deploy/deploy-a-windows-10-image-using-mdt.md
View File

@ -1,6 +1,6 @@
---
title: Deploy a Windows 10 image using MDT 2013 Update 1 (Windows 10)
description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically.
title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10)
description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
keywords: ["deployment, automate, tools, configure"]
ms.prod: W10
@ -9,16 +9,21 @@ ms.sitesec: library
author: CFaw
---
# Deploy a Windows 10 image using MDT 2013 Update 1
# Deploy a Windows 10 image using MDT 2013 Update 2
**Applies to**
- Windows 10
This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
**Note**  
For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
 
![figure 1](images/mdt-07-fig01.png)
@ -48,7 +53,7 @@ These steps will show you how to configure an Active Directory account with the
3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command:
``` syntax
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned ?Force
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account MDT_JD
-TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
@ -83,7 +88,7 @@ These steps will show you how to configure an Active Directory account with the
## <a href="" id="sec02"></a>Step 2: Set up the MDT production deployment share
When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md).
When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
### Create the MDT production deployment share
@ -110,7 +115,7 @@ The next step is to add a reference image into the deployment share with the set
### Add the Windows 10 Enterprise x64 RTM custom image
In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-81-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
@ -167,7 +172,7 @@ Figure 3. The Adobe Reader application added to the Deployment Workbench.
## <a href="" id="sec05"></a>Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT 2013 Update 1 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
In order to deploy Windows 10 with MDT 2013 Update 2 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
@ -186,7 +191,7 @@ You should only add drivers to the Windows PE images if the default drivers don'
### Create the driver source structure in the file system
The key to successful management of drivers for MDT 2013 Update 1, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
The key to successful management of drivers for MDT 2013 Update 2, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
1. On MDT01, using File Explorer, create the **E:\\Drivers** folder.
@ -212,7 +217,7 @@ The key to successful management of drivers for MDT 2013 Update 1, as well as fo
- ThinkPad T420 (4178)
- Microsoft
- Microsoft Corporation
- Surface Pro 3
@ -221,9 +226,9 @@ Even if you are not going to use both x86 and x64 boot images, we still recommen
 
### Create the logical driver structure in MDT 2013 Update 1
### Create the logical driver structure in MDT 2013 Update 2
When you import drivers to the MDT 2013 Update 1 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
When you import drivers to the MDT 2013 Update 2 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
@ -249,7 +254,7 @@ When you import drivers to the MDT 2013 Update 1 driver repository, MDT creates
- 4178
- Microsoft
- Microsoft Corporation
- Surface Pro 3
@ -621,7 +626,7 @@ If your organization has a Microsoft Software Assurance agreement, you also can
### Add DaRT 10 to the boot images
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 1, you need to do the following:
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 2, you need to do the following:
- Install DaRT 10 (part of MDOP 2015 R1).
@ -890,15 +895,15 @@ Figure 14. The partitions when deploying an UEFI-based machine.
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

18
windows/deploy/deploy-windows-81-using-pxe-and-configuration-manager.md → windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
In this topic, you will learn how to deploy Windows 10 using Microsoft System Center 2012 R2 Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) machine named PC0001.
For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use two additional machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
1. Start the PC0001 machine. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
@ -39,23 +39,23 @@ Figure 32. Typing in the computer name.
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

36
windows/deploy/deploy-windows-81-with-system-center-2012-r2-configuration-manager.md → windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
View File

@ -16,9 +16,9 @@ author: CFaw
- Windows 10
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 1.
If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.
For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
![figure 1](images/mdt-06-fig01.png)
@ -27,29 +27,29 @@ Figure 1. The machines used in this topic.
## In this section
- [Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
- [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md)
- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
- [Monitor the Windows 10 deployment with Configuration Manager](monitor-the-windows-81-deployment-with-configuration-manager.md)
- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
## Components of Configuration Manager operating system deployment
@ -68,11 +68,11 @@ Operating system deployment with Configuration Manager is part of the normal sof
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 1 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md).
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 2 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT 2013 Update 1 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
- **Drivers.** Like MDT 2013 Update 2 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 1 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 1 provides additional task sequence templates to Configuration Manager.
- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 2 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 2 provides additional task sequence templates to Configuration Manager.
**Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
@ -85,11 +85,11 @@ Operating system deployment with Configuration Manager is part of the normal sof
- [Windows deployment tools](windows-deployment-scenarios-and-tools.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows To Go in your organization](deploy-windows-to-go-in-your-organization-small-scenario.md)
- [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
- [Sideload Windows Store apps](http://technet.microsoft.com/library/dn613831.aspx)

22
windows/deploy/deploy-windows-81-with-the-microsoft-deployment-toolkit.md → windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically.
description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
keywords: ["deploy", "tools", "configure", "script"]
ms.prod: W10
@ -16,28 +16,28 @@ author: CFaw
- Windows 10
This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically.
This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.
The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
MDT 2013 Update 1 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
MDT 2013 Update 2 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
To download the latest version of MDT, visit the [MDT resource page](http://go.microsoft.com/fwlink/p/?LinkId=618117).
## In this section
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
- [Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
- [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
- [Configure MDT settings](configure-mdt-2013-settings.md)
@ -112,9 +112,9 @@ The information in this guide is designed to help you deploy Windows 10. In ord
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-81-with-system-center-2012-r2-configuration-manager.md)
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
[Deploy Windows To Go in your organization](deploy-windows-to-go-in-your-organization-small-scenario.md)
[Deploy Windows To Go in your organization](deploy-windows-to-go.md)
[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)

6
windows/deploy/deploy-windows-to-go-in-your-organization-small-scenario.md → windows/deploy/deploy-windows-to-go.md
View File

@ -16,7 +16,7 @@ author: CFaw
- Windows 10
This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-feature-overview-scenario.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
**Note**  
This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](http://go.microsoft.com/fwlink/p/?linkid=230693).
@ -28,7 +28,7 @@ This topic includes sample Windows PowerShell cmdlets that you can use to automa
The following is a list of items that you should be aware of before you start the deployment process:
- Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](../plan/windows-to-go-feature-overview-scenario.md) for the latest USB drives certified for use as Windows To Go drives.
- Only use recommended USB drives for Windows To Go. Use of other drives is not supported. Check the list at [Windows To Go: feature overview](../plan/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
@ -1013,7 +1013,7 @@ In the PowerShell provisioning script, after the image has been applied, you can
## Related topics
[Windows To Go: feature overview](../plan/windows-to-go-feature-overview-scenario.md)
[Windows To Go: feature overview](../plan/windows-to-go-overview.md)
[Windows 10 forums](http://go.microsoft.com/fwlink/p/?LinkId=618949)

22
windows/deploy/finalize-the-operating-system-configuration-for-windows-81-deployment-with-configuration-manager.md → windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enablement of the optional Microsoft Deployment Toolkit (MDT) monitoring for Microsoft System Center 2012 R2 Configuration Manager, logs folder creation, rules configuration, content distribution, and deployment of the previously created task sequence.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## <a href="" id="sec01"></a>Enable MDT monitoring
@ -52,7 +52,7 @@ To support additional server-side logging in Configuration Manager, you create a
``` syntax
New-Item -Path E:\Logs -ItemType directory
New-SmbShare ?Name Logs$ ?Path E:\Logs -ChangeAccess EVERYONE
New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
icacls E:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
```
@ -163,25 +163,25 @@ Figure 30. Configure a collection variable.
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

2
windows/deploy/frequently-asked-questions-usmt-win7-usmt-win8.md
View File

@ -116,7 +116,7 @@ For more information, see [Conflicts and Precedence](conflicts-and-precedence-us
## Related topics
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
[Extract Files from a Compressed USMT Migration Store](extract-files-from-a-compressed-usmt-migration-store.md)

22
windows/deploy/get-started-with-the-microsoft-deployment-toolkit--mdt-.md → windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -1,6 +1,6 @@
---
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 in particular, as part of a Windows operating system deployment.
description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment.
ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
keywords: ["deploy", "image", "feature", "install", "tools"]
ms.prod: W10
@ -16,9 +16,9 @@ author: CFaw
- Windows 10
This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 1 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 2 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
In addition to familiarizing you with the features and options available in MDT 2013 Update 1, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
In addition to familiarizing you with the features and options available in MDT 2013 Update 2, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof).
@ -29,26 +29,26 @@ Figure 1. The machines used in this topic.
## In this section
- [Key features in MDT 2013 Update 1](key-features-in-mdt-2013.md)
- [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
- [MDT 2013 Update 1 Lite Touch components](mdt-2013-lite-touch-components.md)
- [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
- [Prepare for deployment with MDT 2013 Update 1](prepare-for-deployment-with-mdt-2013.md)
- [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
## Related topics
[Microsoft Deployment Toolkit downloads and documentation](http://go.microsoft.com/fwlink/p/?LinkId=618117)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

14
windows/deploy/index.md
View File

@ -37,16 +37,16 @@ Learn about deploying Windows 10 for IT professionals.
<td align="left"><p>To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md)</p></td>
<td align="left"><p>This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 1 specifically.</p></td>
<td align="left"><p>[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)</p></td>
<td align="left"><p>This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-81-with-system-center-2012-r2-configuration-manager.md)</p></td>
<td align="left"><p>If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 1.</p></td>
<td align="left"><p>[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)</p></td>
<td align="left"><p>If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)</p></td>
<td align="left"><p>The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 1 task sequence to completely automate the process.</p></td>
<td align="left"><p>The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)</p></td>
@ -57,8 +57,8 @@ Learn about deploying Windows 10 for IT professionals.
<td align="left"><p>With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Deploy Windows To Go in your organization](deploy-windows-to-go-in-your-organization-small-scenario.md)</p></td>
<td align="left"><p>This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-feature-overview-scenario.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.</p></td>
<td align="left"><p>[Deploy Windows To Go in your organization](deploy-windows-to-go.md)</p></td>
<td align="left"><p>This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)</p></td>

26
windows/deploy/integrate-configuration-manager-with-mdt-2013.md
View File

@ -1,5 +1,5 @@
---
title: Integrate Configuration Manager with MDT 2013 Update 1 (Windows 10)
title: Integrate Configuration Manager with MDT 2013 Update 2 (Windows 10)
description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
keywords: ["deploy, image, customize, task sequence"]
@ -9,7 +9,7 @@ ms.sitesec: library
author: CFaw
---
# Integrate Configuration Manager with MDT 2013 Update 1
# Integrate Configuration Manager with MDT 2013 Update 2
**Applies to**
@ -18,12 +18,12 @@ author: CFaw
This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md).
MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
## <a href="" id="sec01"></a>Why integrate MDT 2013 Update 1 with Configuration Manager
## <a href="" id="sec01"></a>Why integrate MDT 2013 Update 2 with Configuration Manager
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 1 adds to Configuration Manager.
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 2 adds to Configuration Manager.
### MDT enables dynamic deployment
@ -108,23 +108,23 @@ You can create reference images for Configuration Manager in Configuration Manag
## Related topics
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

8
windows/deploy/key-features-in-mdt-2013.md
View File

@ -1,5 +1,5 @@
---
title: Key features in MDT 2013 Update 1 (Windows 10)
title: Key features in MDT 2013 Update 2 (Windows 10)
description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0.
ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868
keywords: ["deploy, feature, tools, upgrade, migrate, provisioning"]
@ -9,7 +9,7 @@ ms.sitesec: library
author: CFaw
---
# Key features in MDT 2013 Update 1
# Key features in MDT 2013 Update 2
**Applies to**
@ -77,9 +77,9 @@ MDT 2013 has many useful features, the most important of which are:
## Related topics
[Prepare for deployment with MDT 2013 Update 1](prepare-for-deployment-with-mdt-2013.md)
[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
[MDT 2013 Update 1 Lite Touch components](mdt-2013-lite-touch-components.md)
[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
 

12
windows/deploy/mdt-2013-lite-touch-components.md
View File

@ -1,6 +1,6 @@
---
title: MDT 2013 Update 1 Lite Touch components (Windows 10)
description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 1 that support Lite Touch Installation (LTI) for Windows 10.
title: MDT 2013 Update 2 Lite Touch components (Windows 10)
description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10.
ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089
keywords: ["deploy, install, deployment, boot, log, monitor"]
ms.prod: W10
@ -9,14 +9,14 @@ ms.sitesec: library
author: CFaw
---
# MDT 2013 Update 1 Lite Touch components
# MDT 2013 Update 2 Lite Touch components
**Applies to**
- Windows 10
This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 1 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
@ -153,9 +153,9 @@ On the deployment share, you also can enable monitoring. After you enable monito
## Related topics
[Key features in MDT 2013 Update 1](key-features-in-mdt-2013.md)
[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
[Prepare for deployment with MDT 2013 Update 1](prepare-for-deployment-with-mdt-2013.md)
[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md)
 

18
windows/deploy/monitor-the-windows-81-deployment-with-configuration-manager.md → windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md
View File

@ -18,7 +18,7 @@ author: CFaw
In this topic, you will learn how to monitor a Windows 10 deployment that was started previously using Microsoft System Center 2012 R2 Configuration Manager and the Microsoft Deployment Toolkit (MDT) Deployment Workbench. You will also use the Deployment Workbench to access the computer remotely via the Microsoft Diagnostics and Recovery Toolkit (DaRT) Remote Connection feature.
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0001 is a Unified Extensible Firmware Interface (UEFI) machine to which Windows 10 Enterprise has been deployed. DC01, CM01, and PC0001 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
To monitor an operating system deployment conducted through System Center 2012 R2 Configuration Manager, you will use the Deployment Workbench in MDT as follows:
@ -55,23 +55,23 @@ To monitor an operating system deployment conducted through System Center 2012 R
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

22
windows/deploy/prepare-for-deployment-with-mdt-2013.md → windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md
View File

@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT 2013 Update 1 (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 1.
title: Prepare for deployment with MDT 2013 Update 2 (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2.
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
keywords: ["deploy, system requirements"]
ms.prod: W10
@ -9,21 +9,21 @@ ms.sitesec: library
author: CFaw
---
# Prepare for deployment with MDT 2013 Update 1
# Prepare for deployment with MDT 2013 Update 2
**Applies to**
- Windows 10
This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 1. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof).
## <a href="" id="sec01"></a>System requirements
MDT 2013 Update 1 requires the following components:
MDT 2013 Update 2 requires the following components:
- Any of the following operating systems:
@ -64,10 +64,10 @@ These steps assume that you have the MDT01 member server installed and configure
3. User State Migration Tool (UMST)
## <a href="" id="sec03"></a>Install MDT 2013 Update 1
## <a href="" id="sec03"></a>Install MDT 2013 Update 2
These steps assume that you have downloaded [MDT 2013 Update 1](http://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01.
These steps assume that you have downloaded [MDT 2013 Update 2](http://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01.
1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**.
@ -76,7 +76,7 @@ These steps assume that you have downloaded [MDT 2013 Update 1](http://go.micros
## <a href="" id="sec04"></a>Create the OU structure
If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 1.
If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 2.
1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
@ -134,7 +134,7 @@ When creating a reference image, you need an account for MDT. The MDT Build Acco
## <a href="" id="sec06"></a>Create and share the logs folder
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-81-reference-image.md).
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
1. On MDT01, log on as **CONTOSO\\Administrator**.
@ -166,9 +166,9 @@ Figure 9. The same log file, opened in CMTrace, is much easier to read.
## Related topics
[Key features in MDT 2013 Update 1](key-features-in-mdt-2013.md)
[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)
[MDT 2013 Update 1 Lite Touch components](mdt-2013-lite-touch-components.md)
[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md)
 

28
windows/deploy/prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md → windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -1,6 +1,6 @@
---
title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 1, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
keywords: ["install, configure, deploy, deployment"]
ms.prod: W10
@ -16,7 +16,7 @@ author: CFaw
- Windows 10
This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 1, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE).
## Prerequisites
@ -37,7 +37,7 @@ In this topic, you will use an existing Configuration Manager server structure t
- System Center 2012 R2 Configuration Manager SP1 and any additional Windows 10 prerequisites are installed.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. DC01 and CM01 are both members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## <a href="" id="sec01"></a>Create the Configuration Manager service accounts
@ -82,7 +82,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command:
``` syntax
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned ?Force
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
@ -155,7 +155,7 @@ Figure 7. The E:\\Sources\\OSD folder structure.
## <a href="" id="sec04"></a>Integrate Configuration Manager with MDT
To extend the Configuration Manager console with MDT 2013 Update 1 wizards and templates, you install MDT 2013 Update 1 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 1 to the C:\\Setup\\MDT2013 folder on CM01.
To extend the Configuration Manager console with MDT 2013 Update 2 wizards and templates, you install MDT 2013 Update 2 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 2 to the C:\\Setup\\MDT2013 folder on CM01.
1. On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**.
@ -173,7 +173,7 @@ To extend the Configuration Manager console with MDT 2013 Update 1 wizards and t
![figure 8](images/mdt-06-fig08.png)
Figure 8. Set up the MDT 2013 Update 1 integration with Configuration Manager.
Figure 8. Set up the MDT 2013 Update 2 integration with Configuration Manager.
## <a href="" id="sec06"></a>Configure the client settings
@ -249,23 +249,23 @@ Configuration Manager has many options for starting a deployment, but starting v
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

22
windows/deploy/refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md → windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -1,6 +1,6 @@
---
title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 1.
description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2.
ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
keywords: ["upgrade, install, installation, computer refresh"]
ms.prod: W10
@ -16,7 +16,7 @@ author: CFaw
- Windows 10
This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 1. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md).
This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md).
A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps:
@ -30,7 +30,7 @@ A computer refresh with System Center 2012 R2 Configuration Manager works the sa
5. Data and settings are restored.
For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed.
@ -121,23 +121,23 @@ Now you can start the computer refresh on PC0003.
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

14
windows/deploy/refresh-a-windows-7-computer-with-windows-81.md → windows/deploy/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This topic will show you how to use MDT 2013 Update 1 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
keywords: ["reinstallation, customize, template, script, restore"]
ms.prod: W10
@ -16,7 +16,7 @@ author: CFaw
- Windows 10
This topic will show you how to use MDT 2013 Update 1 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md#proof).
@ -140,15 +140,15 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

22
windows/deploy/replace-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md → windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
View File

@ -18,9 +18,9 @@ author: CFaw
In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft System Center 2012 R2 Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the machine, you have to run the backup job separately from the deployment of Windows 10.
For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use three machines: DC01, CM01, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0004 is a machine with Windows 7 SP1 that will be replaced with a new machine running Windows 10. DC01, CM01, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-81-computer.md).
In this topic, you will create a backup-only task sequence that you run on PC0004, the machine you are replacing. For more information, see [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
## <a href="" id="sec01"></a>Create a replace task sequence
@ -158,7 +158,7 @@ This section assumes that you have a machine named PC0004 with the Configuration
2. In the **Actions** tab, select the **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and click **OK**.
**Note**  
You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md).
You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
@ -203,23 +203,23 @@ When the process is complete, you will have a new Windows 10 machine in your dom
## Related topics
[Integrate Configuration Manager with MDT 2013 Update 1](integrate-configuration-manager-with-mdt-2013.md)
[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-81-with-configuration-manager.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-50-boot-image-with-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-81-operating-system-image-using-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-81-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-81-deployment-with-windows-pe-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-81-using-pxe-and-configuration-manager.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-sp1-client-with-windows-81-using-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
 

10
windows/deploy/replace-a-windows-7-computer-with-a-windows-81-computer.md → windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -159,15 +159,15 @@ During a computer replace, these are the high-level steps that occur:
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit--mdt-.md)
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-81-reference-image.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT 2013 Update 1](deploy-a-windows-81-image-using-mdt-2013.md)
[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-81-deployment.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-81.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-2013-settings.md)

2
windows/deploy/return-codes-usmt-win8.md
View File

@ -767,7 +767,7 @@ The following table lists each return code by numeric value, along with the asso
## Related topics
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
[Log Files](log-files-usmt-win7-usmt-win8.md)

4
windows/deploy/set-up-mdt-2013-for-bitlocker.md
View File

@ -198,9 +198,9 @@ When configuring a task sequence to run any BitLocker tool, either directly or u
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

2
windows/deploy/simulate-a-windows-81-deployment-in-a-test-environment.md → windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -73,7 +73,7 @@ Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware ca
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

2
windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md
View File

@ -20,7 +20,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
## Proof-of-concept environment
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
![figure 1](images/upgrademdt-fig1-machines.png)

6
windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
View File

@ -16,12 +16,12 @@ author: CFaw
- Windows 10
The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 1 task sequence to completely automate the process.
The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.
## Proof-of-concept environment
For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md).
For the purposes of this topic, we will use four machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
![fig 1](images/upgrademdt-fig1-machines.png)
@ -30,7 +30,7 @@ Figure 1. The machines used in this topic.
## Set up the upgrade task sequence
MDT 2013 Update 1 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
MDT 2013 Update 2 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
## Create the MDT production deployment share

4
windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md
View File

@ -232,9 +232,9 @@ Figure 32. The ready-made task sequence.
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

2
windows/deploy/use-the-mdt-database-to-stage-windows-81-deployment-information.md → windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -109,7 +109,7 @@ Figure 11. Adding the PC00075 computer to the database.
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

4
windows/deploy/use-web-services-in-mdt-2013.md
View File

@ -160,9 +160,9 @@ Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-81-deployment-in-a-test-environment.md)
[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-81-deployment-information.md)
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md)

2
windows/deploy/user-state-migration-tool--usmt--how-to-topics.md
View File

@ -64,7 +64,7 @@ The following table lists topics that describe how to use User State Migration T
[User State Migration Tool (USMT) Overview Topics](user-state-migration-tool--usmt--overview-topics.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
[User State Migration Toolkit (USMT) Reference](user-state-migration-toolkit--usmt--reference.md)

2
windows/deploy/user-state-migration-tool--usmt--overview-topics.md
View File

@ -44,7 +44,7 @@ The User State Migration Tool (USMT) 10.0 provides a highly customizable user-p
[User State Migration Tool (USMT) How-to topics](user-state-migration-tool--usmt--how-to-topics.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
[User State Migration Toolkit (USMT) Reference](user-state-migration-toolkit--usmt--reference.md)

2
windows/deploy/user-state-migration-tool--usmt--technical-reference.md
View File

@ -53,7 +53,7 @@ USMT 10.0 tools can be used on several versions of Windows operating systems, fo
<td align="left"><p>Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)</p></td>
<td align="left"><p>[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))</p></td>
<td align="left"><p>Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.</p></td>
</tr>
<tr class="even">

2
windows/deploy/user-state-migration-toolkit--usmt--reference.md
View File

@ -60,7 +60,7 @@ author: CFaw
[User State Migration Tool (USMT) How-to topics](user-state-migration-tool--usmt--how-to-topics.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--troubleshooting.md)
[User State Migration Tool (USMT) Troubleshooting](user-state-migration-tool--usmt--guidance-and-best-practices-edp.md))
 

4
windows/deploy/windows-10-deployment-scenarios.md
View File

@ -67,7 +67,7 @@ While the initial Windows 10 release includes a variety of provisioning setting
## Traditional deployment
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-81-with-system-center-2012-r2-configuration-manager.md).
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
@ -127,7 +127,7 @@ The deployment process for the replace scenario is as follows:
[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=620230)
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-81-with-the-microsoft-deployment-toolkit.md)
[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
[Windows setup technical reference](http://go.microsoft.com/fwlink/p/?LinkId=619357)

4
windows/deploy/windows-deployment-scenarios-and-tools.md
View File

@ -14,7 +14,7 @@ author: CFaw
To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment.
Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. Its when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-81-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-81-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. Its when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution.
In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations
@ -330,7 +330,7 @@ For more information on UEFI, see the [UEFI firmware](http://go.microsoft.com/fw
[Update Windows 10 images with provisioning packages](update-windows-10-images-with-provisioning-packages.md)
[Deploy Windows To Go](deploy-windows-to-go-in-your-organization-small-scenario.md)
[Deploy Windows To Go](deploy-windows-to-go.md)
[Sideload apps in Windows 10](sideload-apps-in-windows-10.md)

92
windows/keep-secure/TOC.md
View File

@ -1,6 +1,6 @@
# [Keep Windows 10 secure](index.md)
## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-an-enterprise.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md))
## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
@ -11,14 +11,24 @@
### [Microsoft Passport and password changes](microsoft-passport-and-password-changes.md)
### [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
### [Event ID 300 - Passport successfully created](passport-event-300.md)
## [Windows Hello biometrics in the enterprise](windows-hello-biometrics-in-the-enterprise.md)
## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md))
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md))
### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md))
#### [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md))
##### [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md))
##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md))
##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md))
#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md))
### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md))
#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md))
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md))
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
## [VPN profile options](vpn-profile-options.md)
## [Security technologies](security-technologies.md)
### [AppLocker](applocker-overview-server.md)
### [AppLocker](applocker-overview.md)
#### [Administer AppLocker](administer-applocker.md)
##### [Maintain AppLocker policies](maintain-applocker-policies.md)
##### [Edit an AppLocker policy](edit-an-applocker-policy.md)
@ -78,7 +88,7 @@
##### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
###### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
####### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
####### [Configure the AppLocker reference device](configure-the-applocker-reference-computer-ops.md)
####### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
#### [AppLocker technical reference](applocker-technical-reference.md)
##### [What Is AppLocker?](what-is-applocker.md)
##### [Requirements to use AppLocker](requirements-to-use-applocker.md)
@ -105,11 +115,11 @@
##### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
##### [AppLocker Settings](applocker-settings.md)
### [BitLocker](bitlocker-overview-roletech-overview.md)
#### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
### [BitLocker](bitlocker-overview.md)
#### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
#### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
#### [BitLocker basic deployment](bitlocker-basic-deployment.md)
#### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server-2012.md)
#### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)
#### [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
#### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
#### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
@ -122,7 +132,7 @@
##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
#### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
### [Encrypted Hard Drive](encrypted-hard-drive.md)
### [Security auditing](security-auditing-overview-glbl.md)
### [Security auditing](security-auditing-overview.md)
#### [Basic security audit policies](basic-security-audit-policies.md)
##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
##### [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md)
@ -152,9 +162,9 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service-sec-audit.md)
###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service.md)
###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
###### [Audit Other Account Logon Events ](audit-other-account-logon-events-sec-audit.md)
###### [Audit Other Account Logon Events ](audit-other-account-logon-events.md)
###### [Audit Application Group Management](audit-application-group-management.md)
###### [Audit Computer Account Management](audit-computer-account-management.md)
###### [Audit Distribution Group Management](audit-distribution-group-management.md)
@ -164,13 +174,13 @@
###### [Audit DPAPI Activity](audit-dpapi-activity.md)
###### [Audit PNP Activity](audit-pnp-activity.md)
###### [Audit Process Creation](audit-process-creation.md)
###### [Audit Process Termination ](audit-process-termination-sec-audit.md)
###### [Audit Process Termination ](audit-process-termination.md)
###### [Audit RPC Events](audit-rpc-events.md)
###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
###### [Audit Directory Service Access](audit-directory-service-access.md)
###### [Audit Directory Service Changes](audit-directory-service-changes.md)
###### [Audit Directory Service Replication](audit-directory-service-replication.md)
###### [Audit Account Lockout ](audit-account-lockout-sec-audit.md)
###### [Audit Account Lockout ](audit-account-lockout.md)
###### [Audit User/Device Claims](audit-user-device-claims.md)
###### [Audit Group Membership](audit-group-membership.md)
###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
@ -183,17 +193,17 @@
###### [Audit Special Logon](audit-special-logon.md)
###### [Audit Application Generated](audit-application-generated.md)
###### [Audit Certification Services](audit-certification-services.md)
###### [Audit Detailed File Share ](audit-detailed-file-share-sec-audit.md)
###### [Audit Detailed File Share ](audit-detailed-file-share.md)
###### [Audit File Share](audit-file-share.md)
###### [Audit File System](audit-file-system.md)
###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop-sec-audit.md)
###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop.md)
###### [Audit Handle Manipulation](audit-handle-manipulation.md)
###### [Audit Kernel Object ](audit-kernel-object-sec-audit.md)
###### [Audit Kernel Object ](audit-kernel-object.md)
###### [Audit Other Object Access Events](audit-other-object-access-events.md)
###### [Audit Registry](audit-registry.md)
###### [Audit Removable Storage](audit-removable-storage.md)
###### [Audit SAM ](audit-sam-sec-audit.md)
###### [Audit SAM ](audit-sam.md)
###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
###### [Audit Audit Policy Change](audit-audit-policy-change.md)
###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
@ -201,16 +211,16 @@
###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use-sec-audit.md)
###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use-sec-audit.md)
###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events-sec-audit.md)
###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use.md)
###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use.md)
###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events.md)
###### [Audit IPsec Driver](audit-ipsec-driver.md)
###### [Audit Other System Events](audit-other-system-events.md)
###### [Audit Security State Change](audit-security-state-change.md)
###### [Audit Security System Extension](audit-security-system-extension.md)
###### [Audit System Integrity](audit-system-integrity.md)
###### [Registry (Global Object Access Auditing) ](registry--global-object-access-auditing--sec-audit.md)
###### [File System (Global Object Access Auditing) ](file-system--global-object-access-auditing--sec-audit.md)
###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
### [Security policy settings](security-policy-settings.md)
#### [Administer security policy settings](administer-security-policy-settings.md)
##### [Network List Manager policies](network-list-manager-policies.md)
@ -246,8 +256,8 @@
###### [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md)
###### [Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings](audit-force-audit-policy-subcategory-settings-to-override.md)
###### [Audit: Shut down system immediately if unable to log security audits](audit-shut-down-system-immediately-if-unable-to-log-security-audits.md)
###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md)
###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md)
###### [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
###### [DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md)
###### [Devices: Allow undock without having to log on](devices-allow-undock-without-having-to-log-on.md)
###### [Devices: Allowed to format and eject removable media](devices-allowed-to-format-and-eject-removable-media.md)
###### [Devices: Prevent users from installing printer drivers](devices-prevent-users-from-installing-printer-drivers.md)
@ -256,12 +266,12 @@
###### [Domain controller: Allow server operators to schedule tasks](domain-controller-allow-server-operators-to-schedule-tasks.md)
###### [Domain controller: LDAP server signing requirements](domain-controller-ldap-server-signing-requirements.md)
###### [Domain controller: Refuse machine account password changes](domain-controller-refuse-machine-account-password-changes.md)
###### [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
###### [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
###### [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
###### [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
###### [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
###### [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
###### [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md)
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong--windows-2000-or-later--session-key.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
@ -269,18 +279,18 @@
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
###### [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
###### [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache--in-case-domain-controller-is-not-available.md)
###### [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)
###### [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)
###### [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)
###### [Interactive logon: Require smart card](interactive-logon-require-smart-card.md)
###### [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md)
###### [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications--always.md)
###### [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications--if-server-agrees.md)
###### [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md)
###### [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-if-server-agrees.md)
###### [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)
###### [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)
###### [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)
###### [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications--always.md)
###### [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications--if-client-agrees.md)
###### [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)
###### [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-if-client-agrees.md)
###### [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)
###### [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)
###### [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)
@ -302,8 +312,8 @@
###### [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)
###### [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)
###### [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md)
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--clients.md)
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based--including-secure-rpc--servers.md)
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)
###### [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)
###### [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)
###### [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)
###### [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)
@ -318,7 +328,7 @@
###### [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)
###### [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)
###### [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)
###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects--eg-symbolic-links.md)
###### [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)
###### [System settings: Optional subsystems](system-settings-optional-subsystems.md)
###### [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)
###### [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)
@ -377,17 +387,17 @@
###### [Shut down the system](shut-down-the-system.md)
###### [Synchronize directory service data](synchronize-directory-service-data.md)
###### [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md)
### [Trusted Platform Module](trusted-platform-module-technology-overview.md)
#### [TPM fundamentals](tpm-fundamentals-windows-8.md)
### [Trusted Platform Module](trusted-platform-module-overview.md)
#### [TPM fundamentals](tpm-fundamentals.md)
#### [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
#### [AD DS schema extensions to support TPM backup](schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md)
#### [Backup the TPM recovery Information to AD DS](backup-thetpm-recovery-information-to-ad-ds.md)
#### [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
#### [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md)
#### [Manage TPM commands](manage-tpm-commands.md)
#### [Manage TPM lockout](manage-tpm-lockout.md)
#### [Change the TPM owner password](change-the-tpm-owner-password.md)
#### [Initialize and configure ownership of the TPM](initialize-and-configure-ownership-of-the-tpm.md)
#### [Switch PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md)
#### [TPM recommendations](trusted-platform-module--tpm-2-0--.md)
#### [TPM recommendations](tpm-recommendations.md)
### [User Account Control](user-account-control-overview.md)
#### [How User Account Control works](how-user-account-control-works.md)
#### [User Account Control security policy settings](user-account-control-security-policy-settings.md)
@ -395,7 +405,7 @@
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
## [Enterprise security guides](enterprise-security-guides-portal.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Device Guard deployment guide](device-guard-deployment-guide.md)
### [Microsoft Passport guide](microsoft-passport-guide.md)

0
windows/keep-secure/schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md → windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md
View File

162
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md Normal file
View File

@ -0,0 +1,162 @@
---
title: Add multiple apps to your enterprise data protection (EDP) Protected Apps list (Windows 10)
description: Add multiple apps to your enterprise data protection (EDP) Protected Apps list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy.
ms.assetid: B50DB35D-A2A9-4B78-A95D-A1B066E66880
keywords: ["EDP", "Enterprise Data Protection", "protected apps", "protected app list"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# Add multiple apps to your enterprise data protection (EDP) Protected Apps list
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Add multiple apps to your enterprise data protection (EDP) **Protected Apps** list at the same time, by using the Microsoft Intune Custom URI functionality and the AppLocker Group Policy. For more info about how to create a custom URI using Intune, see [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/?LinkID=691330).
**Important**  
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)) topic.
 
**To add Universal Windows Platform (UWP) apps**
1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP\_UniversalApps\_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
**Important**  
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
 
**Note**  
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
**Important**  Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`.
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of Appx, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
**To add Classic Windows applications**
1. Go to the AppLocker Group Policy UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. Double-click **Application Control Policies**, double-click **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP\_ClassicApps\_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
**Important**  
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
 
**Note**  
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass EDP by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
 
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
**Important**  Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
 
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`.
13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
14. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
 
 

24
windows/keep-secure/advanced-security-audit-policy-settings.md
View File

@ -37,7 +37,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service-sec-audit.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
@ -69,7 +69,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination-sec-audit.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
@ -89,7 +89,7 @@ DS Access security audit policy settings provide a detailed audit trail of attem
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
- [Audit Account Lockout](audit-account-lockout-sec-audit.md)
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
@ -123,7 +123,7 @@ This category includes the following subcategories:
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share-sec-audit.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
- [Audit File Share](audit-file-share.md)
@ -131,11 +131,11 @@ This category includes the following subcategories:
- [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop-sec-audit.md)
- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
- [Audit Handle Manipulation](audit-handle-manipulation.md)
- [Audit Kernel Object](audit-kernel-object-sec-audit.md)
- [Audit Kernel Object](audit-kernel-object.md)
- [Audit Other Object Access Events](audit-other-object-access-events.md)
@ -143,7 +143,7 @@ This category includes the following subcategories:
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam-sec-audit.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
@ -167,11 +167,11 @@ Policy Change audit events allow you to track changes to important security poli
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use-sec-audit.md)
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use-sec-audit.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events-sec-audit.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
**System**
@ -202,9 +202,9 @@ If a file or folder SACL and a Global Object Access Auditing policy setting (or
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system--global-object-access-auditing--sec-audit.md)
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry--global-object-access-auditing--sec-audit.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
 

0
windows/keep-secure/applocker-overview-server.md → windows/keep-secure/applocker-overview.md
View File

2
windows/keep-secure/applocker-policies-deployment-guide.md
View File

@ -28,7 +28,7 @@ The following are prerequisites or recommendations to deploying policies:
- Understand the capabilities of AppLocker:
- [AppLocker](applocker-overview-server.md)
- [AppLocker](applocker-overview.md)
- Document your application control policy deployment plan by addressing these tasks:

0
windows/keep-secure/audit-account-lockout-sec-audit.md → windows/keep-secure/audit-account-lockout.md
View File

8
windows/keep-secure/audit-audit-the-access-of-global-system-objects.md
View File

@ -38,7 +38,7 @@ Enabling this policy setting can generate a large number of security events, esp
### Best practices
- Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object-sec-audit.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
- Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate.
### Location
@ -106,13 +106,13 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep
To audit attempts to access global system objects, you can use one of two security audit policy settings:
- [Audit Kernel Object](audit-kernel-object-sec-audit.md) in Advanced Security Audit Policy Settings\\Object Access
- [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access
- [Audit object access](basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy
If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate.
If the [Audit Kernel Object](audit-kernel-object-sec-audit.md) setting is configured, the following events are generated:
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated:
<table>
<colgroup>
@ -147,7 +147,7 @@ If the [Audit Kernel Object](audit-kernel-object-sec-audit.md) setting is config
 
If the [Audit Kernel Object](audit-kernel-object-sec-audit.md) setting is configured, the following events are generated.
If the [Audit Kernel Object](audit-kernel-object.md) setting is configured, the following events are generated.
<table>
<colgroup>

2
windows/keep-secure/audit-audit-the-use-of-backup-and-restore-privilege.md
View File

@ -98,7 +98,7 @@ Enabling this policy setting in conjunction with the **Audit privilege use** pol
Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner.
Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use-sec-audit.md), which can help you manage the number of events generated.
Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md), which can help you manage the number of events generated.
## Security considerations

0
windows/keep-secure/audit-detailed-file-share-sec-audit.md → windows/keep-secure/audit-detailed-file-share.md
View File

0
windows/keep-secure/audit-filtering-platform-packet-drop-sec-audit.md → windows/keep-secure/audit-filtering-platform-packet-drop.md
View File

0
windows/keep-secure/audit-kerberos-authentication-service-sec-audit.md → windows/keep-secure/audit-kerberos-authentication-service.md
View File

0
windows/keep-secure/audit-kernel-object-sec-audit.md → windows/keep-secure/audit-kernel-object.md
View File

0
windows/keep-secure/audit-non-sensitive-privilege-use-sec-audit.md → windows/keep-secure/audit-non-sensitive-privilege-use.md
View File

0
windows/keep-secure/audit-other-account-logon-events-sec-audit.md → windows/keep-secure/audit-other-account-logon-events.md
View File

0
windows/keep-secure/audit-other-privilege-use-events-sec-audit.md → windows/keep-secure/audit-other-privilege-use-events.md
View File

2
windows/keep-secure/audit-pnp-activity.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.

2
windows/keep-secure/audit-policy.md
View File

@ -44,7 +44,7 @@ The basic audit policy settings under **Security Settings\\Local Policies\\Audit
[Configure security policy settings](how-to-configure-security-policy-settings.md)
[Security auditing](security-auditing-overview-glbl.md)
[Security auditing](security-auditing-overview.md)
 

0
windows/keep-secure/audit-process-termination-sec-audit.md → windows/keep-secure/audit-process-termination.md
View File

0
windows/keep-secure/audit-sam-sec-audit.md → windows/keep-secure/audit-sam.md
View File

0
windows/keep-secure/audit-sensitive-privilege-use-sec-audit.md → windows/keep-secure/audit-sensitive-privilege-use.md
View File

10
windows/keep-secure/backup-thetpm-recovery-information-to-ad-ds.md → windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -29,7 +29,7 @@ The TPM owner authorization value is stored in AD DS, and it is present in a TP
 
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md).
Domain controllers running Windows Server 2012 R2 or Windows Server 2012 include the required AD DS schema objects by default. However, if your domain controller is running Windows Server 2008 R2, you need to update the schema as described in [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
This topic contains procedures, some of which are dependent on Visual Basic scripts, to recover TPM information and decommission TPM on remote computers. Sample scripts are available, which you can customize to meet the requirements of your environment.
@ -53,7 +53,7 @@ Before you begin your backup, ensure that the following prerequisites are met:
1. All domain controllers that are accessible by client computers that will be using TPM services are running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 with the updated schema.
**Tip**  
For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md).
For more info about the schema extensions that are required for a TPM backup in Active Directory domains that are running Windows Server 2008 R2, see [AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md).
 
@ -727,15 +727,15 @@ WScript.echo "msTPM-OwnerInformation: " + strOwnerInformation
## Additional resources
[Trusted Platform Module technology overview](trusted-platform-module-technology-overview.md)
[Trusted Platform Module technology overview](trusted-platform-module-overview.md)
[TPM fundamentals](tpm-fundamentals-windows-8.md)
[TPM fundamentals](tpm-fundamentals.md)
[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
[TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
[AD DS schema extensions to support TPM backup](schema-extensions-for-windows-server-2008-r2-to-support-ad-ds-backup-of-tpm-information-from-windows-8-clients.md)
[AD DS schema extensions to support TPM backup](ad-ds-schema-extensions-to-support-tpm-backup.md)
[Prepare your organization for BitLocker: Planning and Policies](http://technet.microsoft.com/library/jj592683.aspx), see TPM considerations

2
windows/keep-secure/basic-audit-directory-service-access.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.

2
windows/keep-secure/basic-audit-logon-events.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.\]
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Determines whether to audit each instance of a user logging on to or logging off from a device.

2
windows/keep-secure/bitlocker-basic-deployment.md
View File

@ -652,7 +652,7 @@ Disable-BitLocker -MountPoint E:,F:,G:
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[BitLocker overview](bitlocker-overview-roletech-overview.md)
[BitLocker overview](bitlocker-overview.md)
 

4
windows/keep-secure/bitlocker-countermeasures.md
View File

@ -37,7 +37,7 @@ A TPM is a microchip designed to provide basic security-related functions, prima
By binding the BitLocker encryption key with the TPM and properly configuring the device, its nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized users credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-technology-overview.md).
For more info about TPM, see [Trusted Platform Module](trusted-platform-module-overview.md).
**UEFI and Secure Boot**
@ -160,7 +160,7 @@ Windows InstantGocertified devices do not have DMA ports, eliminating the ris
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
- [BitLocker overview](bitlocker-overview-roletech-overview.md)
- [BitLocker overview](bitlocker-overview.md)
 

2
windows/keep-secure/bitlocker-frequently-asked-questions--faq-.md → windows/keep-secure/bitlocker-frequently-asked-questions.md
View File

@ -489,7 +489,7 @@ BitLocker is not supported on bootable VHDs, but BitLocker is supported on data
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server-2012.md)
- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

8
windows/keep-secure/bitlocker-group-policy-settings.md
View File

@ -1698,7 +1698,7 @@ TPM initialization might be needed during the BitLocker setup. Enable the **Turn
For more information about this setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md).
If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-thetpm-recovery-information-to-ad-ds.md).
If you are using domain controllers running Windows Server 2003 with Service Pack 1, you must first set up appropriate schema extensions and access control settings on the domain before a backup to AD DS can succeed. For more info, see [Backup the TPM recovery Information to AD DS](backup-tpm-recovery-information-to-ad-ds.md).
### <a href="" id="bkmk-rec4"></a>Choose default folder for recovery password
@ -2699,16 +2699,16 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Ins
## See also
[Trusted Platform Module](trusted-platform-module-technology-overview.md)
[Trusted Platform Module](trusted-platform-module-overview.md)
[TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
[BitLocker overview](bitlocker-overview-roletech-overview.md)
[BitLocker overview](bitlocker-overview.md)
[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

4
windows/keep-secure/bitlocker-how-to-deploy-on-windows-server-2012.md → windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md
View File

@ -138,9 +138,9 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie
## More information
[BitLocker overview](bitlocker-overview-roletech-overview.md)
[BitLocker overview](bitlocker-overview.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

4
windows/keep-secure/bitlocker-how-to-enable-network-unlock.md
View File

@ -475,9 +475,9 @@ The following steps can be used to configure Network Unlock on these older syste
## See also
- [BitLocker overview](bitlocker-overview-roletech-overview.md)
- [BitLocker overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)

4
windows/keep-secure/bitlocker-overview-roletech-overview.md → windows/keep-secure/bitlocker-overview.md
View File

@ -85,7 +85,7 @@ When installing the BitLocker optional component on a server you will also need
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)</p></td>
<td align="left"><p>[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)</p></td>
<td align="left"><p>This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.</p></td>
</tr>
<tr class="even">
@ -97,7 +97,7 @@ When installing the BitLocker optional component on a server you will also need
<td align="left"><p>This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server-2012.md)</p></td>
<td align="left"><p>[BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md)</p></td>
<td align="left"><p>This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.</p></td>
</tr>
<tr class="odd">

2
windows/keep-secure/bitlocker-recovery-guide-plan.md
View File

@ -984,7 +984,7 @@ End Function
## See also
- [BitLocker overview](bitlocker-overview-roletech-overview.md)
- [BitLocker overview](bitlocker-overview.md)
 

6
windows/keep-secure/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -364,15 +364,15 @@ Active Directory-based protectors are normally used to unlock Failover Cluster e
## More information
[BitLocker overview](bitlocker-overview-roletech-overview.md)
[BitLocker overview](bitlocker-overview.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server-2012.md)
[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
 

6
windows/keep-secure/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -59,13 +59,13 @@ By completing the procedures in this scenario, you have viewed and copied the re
## More information
[BitLocker Overview](bitlocker-overview-roletech-overview.md)
[BitLocker Overview](bitlocker-overview.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions--faq-.md)
[BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md)
[Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server-2012.md)
[BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
[BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)

0
windows/keep-secure/block-untrusted-fonts-in-an-enterprise.md → windows/keep-secure/block-untrusted-fonts-in-enterprise.md
View File

36
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -13,10 +13,32 @@ author: brianlic-msft
This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
| New or changed topic | Description |
|----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [Protect derived domain credentials with Credential Guard](credential-guard.md) | Clarified Credential Guard protections |
| [Requirements to use AppLocker](requirements-to-use-applocker.md) | Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy. |
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New or changed topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">[Protect derived domain credentials with Credential Guard](credential-guard.md)</td>
<td align="left"><p>Clarified Credential Guard protections</p></td>
</tr>
<tr class="even">
<td align="left">[Requirements to use AppLocker](requirements-to-use-applocker.md)</td>
<td align="left"><p>Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.</p></td>
</tr>
<tr class="odd">
<td align="left">[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md))</td>
<td align="left"><p>Added pre-release content about how to set up and deploy enterprise data protection (EDP) in an enterprise environment.</p></td>
</tr>
</tbody>
</table>
 
@ -63,11 +85,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| New or changed topic | Description |
|----------------------------------------------------------------------------------------------|-------------|
| [Windows Defender in Windows 10](windows-defender-in-windows-10.md) | New |
| [Windows Hello biometrics in the enterprise](windows-hello-biometrics-in-the-enterprise.md) | New |
| [AppLocker](applocker-overview-server.md) (multiple topics) | Updated |
| [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)) | New |
| [AppLocker](applocker-overview.md) (multiple topics) | Updated |
| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Updated |
| [Device Guard deployment guide](device-guard-deployment-guide.md) | Updated |
| [Security auditing](security-auditing-overview-glbl.md) (multiple topics) | Updated |
| [Security auditing](security-auditing-overview.md) (multiple topics) | Updated |
| [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) | Updated |
 

2
windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
View File

@ -50,7 +50,7 @@ In the end, many customers will find that pre-boot authentication improves secur
- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
- [BitLocker overview](bitlocker-overview-roletech-overview.md)
- [BitLocker overview](bitlocker-overview.md)
 

0
windows/keep-secure/configure-the-applocker-reference-computer-ops.md → windows/keep-secure/configure-the-appLocker-reference-device.md
View File

452
windows/keep-secure/create-edp-policy-using-intune.md Normal file
View File

@ -0,0 +1,452 @@
---
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 4B307C99-3016-4D6A-9AE7-3BBEBD26E721
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# Create an enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this topic:
- [Add an EDP policy](#add-edp-policy)
- [Choose which apps can access your enterprise data](#choose-apps)
- [Exempt apps from EDP restrictions](#exempt-apps)
- [Manage the EDP protection level for your enterprise data](#protect-level)
- [Define your enterprise-managed identity domains](#define-enterprise-managed-identity-domains)
- [Choose where apps can access enterprise data](#choose-where-apps)
- [Choose your optional EDP-related settings](#optional-settings)
## <a href="" id="add-edp-policy"></a>Add an EDP policy
After youve installed and set up Intune for your organization, you must create an EDP-specific policy.
**To add an EDP policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Click **Add Policy** from the **Tasks** area.
3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png)
4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![microsoft intune: required name and optional description fields](images/intune-namedescription.png)
## <a href="" id="choose-apps"></a>Add individual apps to your Protected App list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
**Important**  
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
 
**Note**  If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 
<a href="" id="add-uwp"></a>
**To add a UWP app**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
**Note**  
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
The API runs and opens a text editor with the app details.
``` syntax
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
![microsoft intune: add a universal windows app to the protected apps list](images/intune-addapps.png)
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.
2. **Note**  
Your PC and phone must be on the same wireless network.
 
3. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
4. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
5. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
6. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
7. On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
The **Publisher** and **Product Name** values appear.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
<a href="" id="add-classic"></a>
**To add a Classic Windows application**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Manages</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>All fields left as “*”</p></td>
<td align="left"><p>All files signed by any publisher. (Not recommended.)</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong> selected</p></td>
<td align="left"><p>All files signed by the named publisher.</p>
<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong> and <strong>Product Name</strong> selected</p></td>
<td align="left"><p>All files for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</p></td>
<td align="left"><p>Any version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</p></td>
<td align="left"><p>Specified version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</p></td>
<td align="left"><p>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.</p>
<p>This option is recommended for enlightened apps that weren't previously enlightened.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</p></td>
<td align="left"><p>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
</tbody>
</table>
 
![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
``` syntax
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` syntax
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
## <a href="" id="exempt-apps"></a>Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt an UWP app**
1. Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.
Where **edpexempt** is added as a substring, making the app exempt.
3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
4. Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
**To exempt a Classic Windows application**
1. Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.
Where **edpexempt** is added as a substring, making the app exempt.
3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
4. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
``` syntax
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
## <a href="" id="protect-level"></a>Manage the EDP protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Mode</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><strong>Block</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Override</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
</tr>
<tr class="odd">
<td align="left"><strong>Silent</strong></td>
<td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Off</strong>
<p>(Not recommended)</p></td>
<td align="left"><p>EDP is turned off and doesn't help to protect or audit your data</p></td>
</tr>
</tbody>
</table>
 
![microsoft intune: add protection level for protected apps list](images/intune-encryption-level.png)
## <a href="" id="define-enterprise-managed-identity-domains"></a>Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
![microsoft intune: add primary internet domain for your enterprise identity](images/intune-primary-domain.png)
**To add your primary domain**
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
## <a href="" id="choose-where-apps"></a>Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
**Important**  
- Every EDP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for EDP configurations.
 
**To specify where your protected apps can find and send enterprise data on the network**
1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Network location type</th>
<th align="left">Format</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enterprise Cloud Domain</p></td>
<td align="left"><p>contoso.sharepoint.com,proxy1.contoso.com|office.com|proxy2.contoso.com</p></td>
<td align="left"><p>Specify the cloud resources traffic to restrict to your protected apps.</p>
<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your <strong>Enterprise Internal Proxy Server</strong> policy. If you have multiple resources, you must use the &quot;|&quot; delimiter. Include the &quot;,&quot; delimiter just before the &quot;|&quot; if you dont use proxies. For example: <code>[URL,Proxy]|[URL,Proxy]</code>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Network Domain</p></td>
<td align="left"><p>domain1.contoso.com,domain2.contoso.com</p></td>
<td align="left"><p>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the &quot;,&quot; delimiter.</p>
<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise Proxy Server</p></td>
<td align="left"><p>domain1.contoso.com:80;domain2.contoso.com:137</p></td>
<td align="left"><p>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p>
<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Internal Proxy Server</p></td>
<td align="left"><p>proxy1.contoso.com;proxy2.contoso.com</p></td>
<td align="left"><p>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise IPv4 Range</p></td>
<td align="left"><p><strong>Starting IPv4 Address:</strong> 3.4.0.1</p>
<p><strong>Ending IPv4 Address:</strong> 3.4.255.254</p>
<p><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</p></td>
<td align="left"><p>Specify the addresses for a valid IPv4 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise IPv6 Range</p></td>
<td align="left"><p><strong>Starting IPv6 Address:</strong></p>
<p>2a01:110::</p>
<p><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff</p>
<p><strong>Custom URI:</strong> 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</p></td>
<td align="left"><p>Specify the addresses for a valid IPv6 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
</tbody>
</table>
 
![microsoft intune: choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
2. Add as many locations as you need, and then click **OK**.
The **Add or Edit Enterprise Network Locations box** closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
![microsoft intune: specify your data recovery certificate for your policy](images/intune-data-recovery.png)
## <a href="" id="optional-settings"></a>Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
**To add your optional settings**
1. Choose to set any or all of the optional EDP-related settings:
- **Allow the user to decrypt data that was created or edited by the apps configured above.** Clicking **Yes**, or turning off this setting in Intune, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **No** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
![microsoft intune: optional edp settings](images/intune-edpsettings.png)
2. Click **Save Policy**.
## Related topics
[Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md))
[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md))
 
 

411
windows/keep-secure/create-edp-policy-using-sccm.md Normal file
View File

@ -0,0 +1,411 @@
---
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85B99C20-1319-4AA3-8635-C1A87B244529
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- System Center Configuration Manager (version 1511 or later)
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Configuration Manager (version 1511 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this topic:
- [Add an EDP policy](#add-edp-policy-sccm)
- [Choose which apps can access your enterprise data](#choose-apps-sccm)
- [Manage the EDP protection level for your enterprise data](#protect-level-sccm)
- [Define your enterprise-managed identity domains](#define-identity-domain)
- [Choose where apps can access enterprise data](#choose-where-apps-sccm)
- [Choose your optional EDP-related settings](#optional-settings)
- [Review your configuration choices in the **Summary** screen](#summary-page)
- [Deploy the EDP policy](#deploy-policy-sccm)
## <a href="" id="add-edp-policy-sccm"></a>Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
**To create a configuration item for EDP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![system center configuration manager, configuration items screen](images/edp-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts.
![create configuration item wizard, defining the configuration item and choosing the configuration type](images/edp-sccm-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client &gt; Windows 10** option
-OR-
- **Settings for devices managed without the Configuration Manager client &gt; Windows 8.1 and Windows 10** option
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![create configuration item wizard, choosing the supported platforms for the policy](images/edp-sccm-supportedplat.png)
6. On the **Device Settings** screen, click **Enterprise Data Protection**, and then click **Next**.
![create configuration item wizard, choosing to add the enterprise data protection settings](images/edp-sccm-devicesettings.png)
The **Configure Enterprise Data Protection settings** page appears, where you'll configure your policy for your organization.
## <a href="" id="choose-apps-sccm"></a>Choose which apps can access your enterprise data
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps or unprotected network locations.
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Classic Windows application.
**Important**  
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data leaks during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
 
**To add a UWP app**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them by following these steps.
**To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
The API runs and opens a text editor with the app details.
``` syntax
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of the **Add app** box, and then click **OK**.
**Important**  
If you dont see the **Product Name** box, it could mean that your tenant is not on the latest build and that you need to wait until it's upgraded. Same applies if you see the **AppId** box. The **AppId** box has been removed in the latest build and should disappear (along with any entries) when your tenant is upgraded.
 
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
![create configuration item wizard, adding a universal app](images/edp-sccm-adduniversalapp.png)
**To add a Classic Windows application**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Manages</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>All fields left as “*”</p></td>
<td align="left"><p>All files signed by any publisher. (Not recommended.)</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong> selected</p></td>
<td align="left"><p>All files signed by the named publisher.</p>
<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong> and <strong>Product Name</strong> selected</p></td>
<td align="left"><p>All files for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</p></td>
<td align="left"><p>Any version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</p></td>
<td align="left"><p>Specified version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</p></td>
<td align="left"><p>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.</p>
<p>This option is recommended for enlightened apps that weren't previously enlightened.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</p></td>
<td align="left"><p>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
</tbody>
</table>
 
If youre unsure about what to include for the publisher, you can run this PowerShell command:
``` syntax
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` syntax
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
![create configuration item wizard, adding a desktop app](images/edp-sccm-adddesktopapp.png)
## <a href="" id="protect-level-sccm"></a>Manage the EDP protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply an app management mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Mode</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><strong>Block</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Override</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
</tr>
<tr class="odd">
<td align="left"><strong>Silent</strong></td>
<td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Off</strong>
<p>(Not recommended)</p></td>
<td align="left"><p>EDP is turned off and doesn't help to protect or audit your data.</p>
<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.</p></td>
</tr>
</tbody>
</table>
 
![create configuration item wizard, choosing the app management mode](images/edp-sccm-appmgmt.png)
## <a href="" id="define-identity-domain"></a>Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
![configuration manager: add primary internet domain for your enterprise identity](images/sccm-primary-domain.png)
**To add your primary domain**
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
## <a href="" id="choose-where-apps-sccm"></a>Choose where apps can access enterprise data
After you've added a management level to your protected apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
**To specify where your protected apps can find and send enterprise data on the network**
1. Add additional network locations your apps can access by clicking **Add**, and then choosing your location type, including:
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Network location type</th>
<th align="left">Format</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enterprise Cloud Domain</p></td>
<td align="left"><p>contoso.sharepoint.com,proxy1.contoso.com|office.com|proxy2.contoso.com</p></td>
<td align="left"><p>Specify the cloud resources traffic to restrict to your protected apps.</p>
<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic, from your <strong>Enterprise Internal Proxy Server</strong> policy. If you have multiple resources, you must use the &quot;|&quot; delimiter. Include the &quot;,&quot; delimiter just before the &quot;|&quot; if you dont use proxies. For example: <code>URL[,Proxy]|URL[,Proxy]</code>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Network Domain</p></td>
<td align="left"><p>domain1.contoso.com,domain2.contoso.com</p></td>
<td align="left"><p>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the &quot;,&quot; delimiter.</p>
<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise Proxy Server</p></td>
<td align="left"><p>domain1.contoso.com:80;domain2.contoso.com:137</p></td>
<td align="left"><p>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p>
<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Internal Proxy Server</p></td>
<td align="left"><p>proxy1.contoso.com;proxy2.contoso.com</p></td>
<td align="left"><p>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise IPv4 Range</p></td>
<td align="left"><p><strong>Starting IPv4 Address:</strong> 3.4.0.1</p>
<p><strong>Ending IPv4 Address:</strong> 3.4.255.254</p>
<p><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</p></td>
<td align="left"><p>Specify the addresses for a valid IPv4 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise IPv6 Range</p></td>
<td align="left"><p><strong>Starting IPv6 Address:</strong></p>
<p>2a01:110::</p>
<p><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff</p>
<p><strong>Custom URI:</strong> 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</p></td>
<td align="left"><p>Specify the addresses for a valid IPv6 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
</tbody>
</table>
 
![create configuration item wizard, specifying the network locations that can be accessed by the apps](images/edp-sccm-primarydomain2.png)
2. Add as many locations as you need, and then click **OK**.
The **Add or Edit Enterprise Network Locations box** closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the[Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
## <a href="" id="optional-settings"></a>Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
**To add your optional settings**
- Choose to set any or all of the optional EDP-related settings:
- **Block the user from decrypting data that was created or edited by the apps configured above.** Clicking **No**, or leaving the setting blank, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **Yes** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted.
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
![create configuration item wizard, choosing additional optional settings for enterprise data protection](images/edp-sccm-optsettings.png)
## <a href="" id="summary-page"></a>Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
![create configuration item wizard, reviewing the summary screen before creating the policy](images/edp-sccm-summaryscreen.png)
## <a href="" id="deploy-policy-sccm"></a>Deploy the EDP policy
After youve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
[Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=708224)
[How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708225)
[How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/?LinkId=708226)
## Next steps
Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. For more info about enrollment, see [Enroll and unenroll devices from enterprise data protection (EDP)](../keep-secure/remove-your-corporate-data-from-enrolled-devices.md).
## Related topics
[System Center Configuration Manager and Endpoint Protection (Version 1511)](http://go.microsoft.com/fwlink/?LinkId=717372)
[TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/?LinkId=691623)
[Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/?LinkId=691624)
 
 

120
windows/keep-secure/create-vpn-and-edp-policy-using-intune.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
ms.assetid: D0EABA4F-6D7D-4AE4-8044-64680A40CF6B
keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
## Create your VPN policy using Microsoft Intune
Follow these steps to create the VPN policy you want to use with EDP.
**To create your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-createpolicy.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-titledescription.png)
4. In the **VPN Settings** area, type the following info:
- **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
- **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
- **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
- **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
![microsoft intune: vpn settings area of the new policy](images/intune-vpn-vpnsettings.png)
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.
It's your choice whether you check the box to **Remember the user credentials at each logon**.
![microsoft intune: authentication method for your vpn system](images/intune-vpn-authentication.png)
6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
**To deploy your VPN policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
The added people move to the **Selected Groups** list on the right-hand pane.
![microsoft intune, group selection for policy deployment](images/intune-deploy-vpn.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
The policy is deployed to the selected users' devices.
## Link your EDP and VPN policies and deploy the custom configuration policy
The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
**To link your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-customconfig.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-edpmodeid.png)
4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- **Setting name.** Type **EdpModeID** as the name.
- **Data type.** Pick the **String** data type.
- **OMA-URI.** Type ./Vendor/MSFT/VPNv2/*&lt;your\_edp\_policy\_name&gt;*/EdpModeId, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, ./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
![microsoft intune: oma-uri settings area of the new policy](images/intune-vpn-omaurisettings.png)
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
**To deploy your linked policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
 
 

2
windows/keep-secure/create-your-applocker-planning-document.md
View File

@ -399,7 +399,7 @@ You can use the following form to construct your own AppLocker planning document
- The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md).
- For more general info, see [AppLocker](applocker-overview-server.md).
- For more general info, see [AppLocker](applocker-overview.md).
 

2
windows/keep-secure/create-your-applocker-rules.md
View File

@ -26,7 +26,7 @@ AppLocker rules apply to the targeted app, and they are the components that make
You can use a reference device to automatically create a set of default rules for each of the installed apps, test and modify each rule as necessary, and deploy the policies. Creating most of the rules for all the installed apps gives you a starting point to build and test your policies. For info about performing this task, see the following topics:
- [Configure the AppLocker reference device](configure-the-applocker-reference-computer-ops.md)
- [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)

2
windows/keep-secure/credential-guard.md
View File

@ -1012,7 +1012,7 @@ If you're having trouble running this script, try replacing the single quote aft
[Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
[Trusted Platform Module](trusted-platform-module-technology-overview.md)
[Trusted Platform Module](trusted-platform-module-overview.md)
 

0
windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md → windows/keep-secure/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
View File

2
windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language--sddl--syntax.md → windows/keep-secure/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
View File

@ -20,7 +20,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language--sddl--syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOMbased applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOMbased applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server.
These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers.

54
windows/keep-secure/deploy-edp-policy-using-intune.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9C4A01E7-0B1C-4F15-95D0-0389F0686211
keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your EDP policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
![microsoft intune configuration policies screen, showing the manage deployment link](images/intune-managedeployment.png)
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
The added people move to the **Selected Groups** list on the right-hand pane.
![microsoft intune, group selection for policy deployment](images/intune-groupselection.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
The policy is deployed to the selected users' devices.
## Related topics
[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md))
[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md))
 
 

2
windows/keep-secure/determine-your-application-control-objectives.md
View File

@ -158,7 +158,7 @@ Use the following table to develop your own objectives and determine which appli
 
For more general info, see [AppLocker](applocker-overview-server.md).
For more general info, see [AppLocker](applocker-overview.md).
 

184
windows/keep-secure/device-guard-deployment-guide.md
View File

@ -18,6 +18,8 @@ author: brianlic-msft
Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating systems security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.
## Introduction to Device Guard
Todays security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation, which results in financial loss. Many of these modern attackers are sponsored by nation states with unknown motives and large cyber terrorism budgets. These threats can enter a company through something as simple as an email message and can permanently damage its reputation for securing its software assets, as well as having significant financial impact. Windows 10 introduces several new security features that help mitigate a large percentage of todays known threats.
It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until malware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious softwares effect has already been noticed. This signature-based system focuses on reacting to an infection and ensuring that the particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer must be infected first. The time between the detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe.
@ -29,6 +31,8 @@ Device Guard breaks the current model of detection first-block later, and allows
Device Guard's features revolutionize the Windows operating systems security by taking advantage of new virtualization-based security (VBS) options and the trust-nothing mobile device operating system model, which makes its defenses much more difficult for malware to penetrate. By using configurable code integrity policies, organizations are able to choose exactly which applications are allowed to run in their environment. Configurable code integrity is not limited to Windows Store applications and can be used with existing unsigned or signed Win32 applications, without the requirement that the application be repackaged. In addition, configurable code integrity can be deployed as an individual feature if organizations dont possess the required hardware for Device Guard. Along with code integrity, Windows 10 leverages advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM), and second-level address translation (SLAT) to offer comprehensive modern security to its users. Device Guard deployed with configurable code integrity and Credential Guard will be among the most impactful client-side security deployments an organization can implement today. In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as Credential Guard and AppLocker.
## Device Guard overview
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating systems security by taking advantage of new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called *configurable code integrity*, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines—exactly what has made mobile phone security so successful. In addition, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing provides organizations with a way to trust individual third-party applications. Device Guard—with configurable code integrity, Credential Guard, and AppLocker—is the most complete security defense that any Microsoft product has ever been able to offer a Windows client.
Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT, drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 leverages them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container. This is just one example of how Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. These hardware features are now available in consumer and enterprise PC markets and are discussed in detail in the [Hardware considerations](#hardware) section.
@ -59,6 +63,8 @@ Although AppLocker is not considered a new Device Guard feature, it complements
**Note**  One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit universal applications. Universal applications have already been validated by Microsoft to be trustworthy to run, but an organization may not want to allow specific universal applications to run in their environment. You can accomplish this enforcement by using an AppLocker rule.
 
AppLocker and Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
### <a href="" id="dg-with-cg"></a>
@ -80,8 +86,9 @@ You can easily manage Device Guard features by using the familiar enterprise and
- **Windows PowerShell**. Windows PowerShell is primarily used to create and service code integrity policies. These policies represent the most powerful component of Device Guard. For a step-by-step walkthrough of how to create, audit, service, enforce, and deploy code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
These options provide the same experience you are used to in order to manage your existing enterprise management solutions. For more information about how to manage and deploy Device Guard hardware and code integrity features in your organization, see the [Device Guard deployment](#dg-deployment) section.
## Plan for Device Guard
In this section, you will learn about the following topics:
- [Approach enterprise code integrity deployment](#approach-enterprise). Device Guard deployment in your organization requires a planned approach. In this section, you get high-level recommendations for how to approach enterprise code integrity deployment in your organization.
@ -94,9 +101,12 @@ In this section, you will learn about the following topics:
## <a href="" id="approach-enterprise"></a>Approach enterprise code integrity deployment
Enterprises that want to consider Device Guard should not expect deployment to their entire organization overnight. Device Guard implementation requires that you plan for both end-user and IT pro impact. In addition, the deployment of Device Guard features to your enterprise requires a planned, phased approach to ensure that end-user systems are fully capable and ready to enforce these new security restrictions. Perform the following high-level tasks to approach the deployment of Device Guard to your enterprise:
1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments needs.<p>To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
1. **Group devices into similar functions**. Categorize machines into the groups described in the [Device Guard deployment scenarios](#device-guard-deployment) section. This begins the roadmap for your Device Guard deployment and provides groups of easier and more difficult implementations. From there, assess the quantity of necessary Device Guard policies. The easiest solution is to lock down your entire enterprise, but it might not fit your individual departments needs.
To discover an appropriate number of policies for your organization, try to separate the defined groups into departments or roles. Then ask some questions: What software does each department or role need to do their job? Should they be able to install and run other departments software? Do we need to create a base code integrity policy that aligns with our application catalog? Should users be able to install any application or only choose from an “allowed” list? Do we allow users to use their own peripheral devices? These questions will help you discover the number of necessary policies for your organization. Finally, try to focus on which people or departments would require an additional level of privileges. For example, should department x be able to install and run application xyz, even though no other department does? If the answer is yes and justifiable, you will need a secondary code integrity policy for that group. If not, you will likely be able to merge several policies to simplify management. For more information about configurable code integrity policies, see the [Code integrity policies](#code-integrity-policies) section.
2. **Create code integrity policies from “golden” PCs**. After you create the groups of devices, you can create code integrity policies to align with those groups, similar to the way you would manage corporate images. When you have separated these groups and set up golden PCs that mimic the software and hardware those individual groups require, create code integrity policies from each of them. After you create these, you can merge these code integrity policies to create a master policy, or you can manage and deploy them individually. For step-by-step instructions about how to create code integrity policies, see the [Create code integrity policies from golden PCs](#create-code-golden) section.
@ -110,6 +120,7 @@ Enterprises that want to consider Device Guard should not expect deployment to t
## <a href="" id="device-guard-deployment"></a>Device Guard deployment scenarios
To help simplify the deployment of Device Guard to your organization, Microsoft recommends that you group devices into the deployment scenarios described in this section. Device Guard is not a feature that organizations will just simply “turn on”; rather, it typically requires a phased implementation approach. To see where these scenarios fit into an overall Device Guard deployment approach, see the [Approach to enterprise code integrity deployment](#approach-enterprise) section.
**Fixed-workload devices**
@ -120,6 +131,8 @@ Device Guard components that are applicable to fixed-workload devices include:
- KMCI VBS protection
<!-- -->
- Enforced UMCI policy
**Fully managed devices**
@ -150,6 +163,7 @@ Device Guard is not a good way to manage devices in a Bring Your Own Device (BYO
## Code signing adoption
Code signing is crucial to the successful implementation of configurable code integrity policies. These policies can trust the signing certificates from both independent software vendors and customers. In Windows 10, all Windows Store applications are signed. Also, you can easily trust any other signed application by adding the signing certificate to the code integrity policy.
For unsigned applications, customers have multiple options for signing them so that code integrity policies can trust them. The first option is traditional embedded code signing. Organizations that have in-house development teams can incorporate binary code signing into their application development process, and then simply add the signing certificate to their code integrity policies. The second option for signing unsigned applications is to use catalog files. In Windows 10, customers have the ability to create catalog files as they monitor the installation and initial run of an application. For more information about signing existing unsigned LOB applications or third-party applications, see the [Existing line-of-business applications](#existing-lob) section.
@ -163,6 +177,8 @@ Until now, existing LOB applications were difficult to trust if they were signed
**Note**  
Catalog files are lists of individual binaries hash values. If the scanned application is updated, you will need to create a new catalog file. That said, binary signing is still highly recommended for any future applications so that no catalog files are needed.
 
When you create a catalog file, you must sign it by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. When signed, code integrity policies can trust the signer or signing certificate of those files. For information about catalog file signing, see the [Catalog files](#catalog-files) section.
**Application development**
@ -239,6 +255,7 @@ Different hardware features are required to implement the various features of De
## <a href="" id="dg-deployment"></a>Device Guard deployment
In this section, you learn about the following topics:
- [Configure hardware-based security features](#configure-hardware). This section explains how to enable the hardware-based security features in Device Guard. Also, you verify that the features are enabled by using both Windows Management Infrastructure (WMI) and Msinfo32.exe.
@ -249,6 +266,7 @@ In this section, you learn about the following topics:
## <a href="" id="configure-hardware"></a>Configure hardware-based security features
Hardware-based security features make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:
1. **Verify that hardware requirements are met and enabled**. Verify that your client machines possess the necessary hardware to run these features. A list of hardware requirements for the hardware-based security features is available in the [Hardware considerations](#hardware) section.
@ -266,6 +284,8 @@ In addition to the hardware requirements found in the [Hardware considerations](
**Note**  
You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
 
![figure 1](images/dg-fig1-enableos.png)
Figure 1. Enable operating system features for VBS
@ -281,6 +301,8 @@ Before you begin this process, verify that the target device meets the hardware
**Note**  
There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include DMA protection (IOMMU) technologies. Without the presence of IOMMUs and with DMA protection disabled, customers will lose protection from driver-based attacks.
 
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
2. Set the **EnableVirtualizationBasedSecurity DWORD** value to **1**.
@ -298,24 +320,37 @@ Unfortunately, it would be time consuming to perform these steps manually on eve
**Note**  
Microsoft recommends that you test-enable this feature on a group of test machines before you deploy it to machines that are currently deployed to users.
 
**Use Group Policy to deploy Secure Boot**
<a href="" id="bkmk-depsecureboot"></a>
1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.<p>
![figure 2](images/dg-fig2-createou.png)<br>Figure 2. Create a new OU-linked GPO
1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
![figure 2](images/dg-fig2-createou.png)
Figure 2. Create a new OU-linked GPO
2. Name the new GPO **Contoso Secure Boot GPO Test**. This example uses *Contoso Secure Boot GPO Test* as the name of the GPO. You can choose any name for this example. Ideally, the name would align with your existing GPO naming convention.
3. To open the Group Policy Management Editor, right-click the new GPO, and then click **Edit**.
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.<p>
![figure 3](images/dg-fig3-enablevbs.png)<br>Figure 3. Enable VBS
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.<p>
![figure 4](images/device-guard-gp.png)<br>Figure 4. Enable Secure Boot
![figure 3](images/dg-fig3-enablevbs.png)
**Note**<br>Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMU, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
Figure 3. Enable VBS
5. Select the **Enabled** option, and then select **Secure Boot and DMA Protection** from the **Select Platform Security Level** list.
![figure 4](images/device-guard-gp.png)
Figure 4. Enable Secure Boot
**Note**  
Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the **Secure Boot and DMA Protection** platform security level. If your hardware does not contain IOMMU, there are several mitigations provided by leveraging Secure Boot without DMA Protection.
 
6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.
@ -332,6 +367,8 @@ Before you begin this process, verify that the desired computer meets the hardwa
**Note**  
All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. Microsoft recommends that you enable this feature on a group of test machines before you enable it on deployed machines.
 
To configure virtualization-based protection of KMCI manually:
1. Navigate to the **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard** registry subkey.
@ -345,9 +382,15 @@ It would be time consuming to perform these steps manually on every protected ma
**Note**  
Microsoft recommends that you test-enable this feature on a group of test computers before you deploy it to machines that are currently deployed to users. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.
 
To use Group Policy to configure VBS of KMCI:
1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.<p>![figure 5](images/dg-fig5-createnewou.png)<br>Figure 5. Create a new OU-linked GPO
1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
![figure 5](images/dg-fig5-createnewou.png)
Figure 5. Create a new OU-linked GPO
2. Name the new GPO **Contoso VBS CI Protection GPO Test**.
@ -355,9 +398,17 @@ To use Group Policy to configure VBS of KMCI:
3. Open the Group Policy Management Editor: Right-click the new GPO, and then click **Edit**.
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.<p>![figure 6](images/dg-fig6-enablevbs.png)<br>Figure 6. Enable VBS
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Then, right-click **Turn On Virtualization Based Security**, and then click **Edit**.
5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.<p>![figure 7](images/dg-fig7-enablevbsofkmci.png)<br>Figure 7. Enable VBS of KMCI
![figure 6](images/dg-fig6-enablevbs.png)
Figure 6. Enable VBS
5. Select the **Enabled** option, and then select the **Enable Virtualization Based Protection of Code Integrity** check box.
![figure 7](images/dg-fig7-enablevbsofkmci.png)
Figure 7. Enable VBS of KMCI
6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.
@ -386,9 +437,15 @@ To avoid spending an unnecessary amount of time in manual deployments, use Group
**Note**  
Microsoft recommends that you enable Credential Guard before you join a machine to the domain to ensure that all credentials are properly protected. Setting the appropriate registry subkeys during your imaging process would be ideal to achieve this protection.
 
To use Group Policy to enable Credential Guard:
1. Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.<p>![figure 8](images/dg-fig8-createoulinked.png)<br>Figure 8. Create a new OU-linked GPO
1. Create a new GPO: right-click the OU to which you want to link the GPO, and then click **Create a GPO in this domain, and Link it here** .
![figure 8](images/dg-fig8-createoulinked.png)
Figure 8. Create a new OU-linked GPO
2. Name the new GPO **Contoso Credential Guard GPO Test**.
@ -396,20 +453,32 @@ To use Group Policy to enable Credential Guard:
3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.<p>![figure 9](images/dg-fig9-enablevbs.png)<br>Figure 9. Enable VBS
4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
5. Select the **Enabled** option, and then select the **Enable Credential Guard** check box.<p>![figure 10](images/dg-fig10-enablecredentialguard.png)<br>Figure 10. Enable Credential Guard
![figure 9](images/dg-fig9-enablevbs.png)
Figure 9. Enable VBS
5. Select the **Enabled** option, and then select the **Enable Credential Guard** check box.
![figure 10](images/dg-fig10-enablecredentialguard.png)
Figure 10. Enable Credential Guard
6. Close Group Policy Management Editor, and then restart the Windows 10 test computer.
**Note**<br>
The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.  
**Note**  
The default platform security level is **Secure Boot**. If IOMMUs are available within the protected machines, it is recommended that you select **Secure Boot and DMA Protection** to maximize the mitigations that are available through Credential Guard.
 
7. Check the test client event log for Device Guard GPOs.
**Note**  
All processed Device Guard policies are logged in event viewer under Application and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational.
 
For additional information about how Credential Guard works as well as additional configuration options, please refer to the [Credential Guard documentation](http://go.microsoft.com/fwlink/p/?LinkId=624529).
**Validate enabled Device Guard hardware-based security features**
@ -423,6 +492,8 @@ The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition o
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.
 
Table 1. Win32\_DeviceGuard properties
<table>
@ -504,14 +575,24 @@ Table 1. Win32\_DeviceGuard properties
</tbody>
</table>
Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.<p>![figure 11](images/dg-fig11-dgproperties.png)<br>Figure 11. Device Guard properties in the System Summary
 
Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the **System Summary** section, as shown in Figure 11.
![figure 11](images/dg-fig11-dgproperties.png)
Figure 11. Device Guard properties in the System Summary
## Catalog files
Enforcement of Device Guard on a system requires that every trusted application have a signature or its binary hashes added to the code integrity policy. For many organizations, this can be an issue when considering unsigned LOB applications. To avoid the requirement that organizations repackage and sign these applications, Windows 10 includes a tool called Package Inspector that monitors an installation process for any deployed and executed binary files. If the tool discovers such files, it itemizes them in a catalog file. These catalog files offer you a way to trust your existing unsigned applications, whether developed in house or by a third party, as well as trust signed applications for which you do not want to trust the signer but rather the specific application. When created, these files can be signed, the signing certificates added to your existing code integrity policies, and the catalog files themselves distributed to the clients.
**Note**  
The Enterprise edition of Windows 10 or Windows Server 2016 is required to create and use catalog files.
 
### <a href="" id="create-catalog-files"></a>
**Create catalog files**
@ -521,12 +602,16 @@ The creation of catalog files is the first step to add an unsigned application t
**Note**  
When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, you will use *\*-Contoso.cat* as the naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see the [Inventory catalog files with System Center Configuration Manager](#inventory-cat-sccm) section.
 
1. Be sure that a code integrity policy is currently running in audit mode.
Package Inspector does not always detect installation files that have been removed from the machine during the installation process. To ensure that these binaries are also trusted, the code integrity policy that you created and audited in the [Create code integrity policies from golden PCs](#create-code-golden) and [Audit code integrity policies](#audit-code-integrity) sections should be deployed, in audit mode, to the system on which you are running Package Inspector.
**Note**  
This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application. 
This process should **not** be performed on a system running an enforced Device Guard policy, only with a policy running in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.
 
2. Start Package Inspector, and then scan drive C:
@ -535,6 +620,8 @@ When you establish a naming convention it makes it easier to detect deployed cat
**Note**  
Package inspector can monitor installations on any local drive. In this example, we install the application on drive C, but any other drive can be used.
 
3. Copy the installation media to drive C.
By copying the installation media to drive C, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future code integrity policy may trust the application to run but not be installed.
@ -546,6 +633,8 @@ When you establish a naming convention it makes it easier to detect deployed cat
**Note**  
Every binary that is run while Package Inspector is running will be captured in the catalog. Therefore, be sure not to run additional installations or updates during the scan to minimize the risk of trusting the incorrect binaries. Alternatively, if you want to add multiple applications to a single catalog file, simply repeat the installation and run process while the current scan is running.
 
5. Stop the scan, and then generate definition and catalog files. When application installation and initial setup are finished, stop the Package Inspector scan and generate the catalog and definition files on your desktop by using the following commands:
`$ExamplePath=$env:userprofile+"\Desktop"`
@ -555,8 +644,11 @@ When you establish a naming convention it makes it easier to detect deployed cat
`$CatDefName=$ExamplePath+"\LOBApp.cdf"`
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
**Note**<br>This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries hash values.
**Note**  
This scan catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries hash values.
 
When finished, the files will be saved to your desktop. To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be included in the code integrity policy, and the catalog file can be distributed to the individual client machines. Catalog files can be signed by using a certificate and SignTool.exe, a free tool available in the Windows SDK. For more information about signing catalog files with SignTool.exe, see the [Catalog signing with SignTool.exe](#catsign-signtool) section.
@ -603,6 +695,8 @@ If you do not have a code signing certificate, please see the [Create a Device G
**Note**  
In this example, you use the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, be sure to update the *$ExamplePath* and *$CatFileName* variables with the correct information.
 
2. Import the code signing certificate. Import the code signing certificate that will be used to sign the catalog file to the signing users personal store. In this example, you use the certificate that you created in the [Create a Device Guard code signing certificate](#create-dg-code) section.
3. Sign the catalog file with Signtool.exe:
@ -619,13 +713,21 @@ If you do not have a code signing certificate, please see the [Create a Device G
</tbody>
</table>
**Note**<br> 
**Note**  
The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* is the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the machine on which you are attempting to sign the catalog file.
**Note**<br>
 
**Note**  
For additional information about Signtool.exe and all additional switches, visit [MSDN Sign Tool page](http://go.microsoft.com/fwlink/p/?LinkId=624163).
4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 12.<p>![figure 12](images/dg-fig12-verifysigning.png)<br>Figure 12. Verify that the signing certificate exists
 
4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 12.
![figure 12](images/dg-fig12-verifysigning.png)
Figure 12. Verify that the signing certificate exists
5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
@ -640,17 +742,21 @@ To simplify the management of catalog files, you can use Group Policy preference
**Note**  
This walkthrough requires that you have previously created a signed catalog file and have a Windows 10 client PC on which to test a Group Policy deployment. For more information about how to create and sign a catalog file, see the [Catalog files](#catalog-files) section.
 
To deploy a catalog file with Group Policy:
1. From either a domain controller or a client PC that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
2. Create a new GPO: Right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13.
**Note**<br>
2. Create a new GPO: right-click the DG Enabled PCs OU, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 13.
**Note**  
The DG Enabled PCs OU is just an example of where to link the test GPO that you created in this section. You can use any OU name. Also, security group filtering is an option when you consider policy partitioning options based on the strategy discussed in the [Approach enterprise code integrity deployment](#approach-enterprise) section.
 
![figure 13](images/dg-fig13-createnewgpo.png)
Figure 13. Create a new GPO
3. Name the new GPO **Contoso DG Catalog File GPO Test**.
@ -682,6 +788,8 @@ To deploy a catalog file with Group Policy:
**Note**  
LOBApp-Contoso.cat is not a required catalog name: This name was used in the [Create catalog files](#create-catalog-files) section, and so it was used here, as well.
 
10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application.
11. Click **OK** to complete file creation.
@ -697,6 +805,8 @@ As an alternative to Group Policy, you can use System Center Configuration Manag
**Note**  
The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
 
1. Open the Configuration Manager console, and select the Software Library workspace.
2. Navigate to Overview\\Application Management, right-click **Packages**, and then click **Create Package**.
@ -772,6 +882,8 @@ When catalog files have been deployed to the machines within your environment, w
**Note**  
A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
 
1. Open the Configuration Manager console, and select the Administration workspace.
2. Navigate to **Overview\\Client Settings**, right-click **Client Settings**, and then click **Create Custom Client Device Settings**.
@ -795,6 +907,8 @@ A standard naming convention for your catalog files will significantly simplify
**Note**  
**\*Contoso.cat** is the naming convention used in this example. This should mimic the naming convention you use for your catalog files.
 
7. In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 21.
![figure 21](images/dg-fig21-pathproperties.png)
@ -818,7 +932,11 @@ At the time of the next software inventory cycle, when the targeted clients rece
**Note**  
If nothing is displayed in this view, navigate to Software\\Last Software Scan in Resource Explorer to verify that the client has recently completed a software inventory scan.
 
## Code integrity policies
Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see the [Configurable code integrity](#config-code) section.
A common system imaging practice in todays IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden PC. Like when imaging, you can have multiple golden PCs based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom.
@ -826,12 +944,16 @@ A common system imaging practice in todays IT organization is to establish a
**Note**  
Each machine can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies.
 
Optionally, code integrity policies can align with your software catalog as well as any IT departmentapproved applications. One simple method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, should the applications be installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computers role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
**Note**  
The following section assumes that you will deploy code integrity policies as part of your Device Guard deployment. Alternatively, configurable code integrity is available without the enablement of Device Guard.
 ### <a href="" id="code-integrity-policy-rules"></a>
 
### <a href="" id="code-integrity-policy-rules"></a>
**Code integrity policy rules**

22
windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md → windows/keep-secure/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
View File

@ -26,9 +26,9 @@ The following policy settings determine whether a secure channel can be establis
- Domain member: Digitally encrypt or sign secure channel data (always)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
@ -36,7 +36,7 @@ To protect authentication traffic from man-in-the-middle, replay, and other type
To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.
Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md) policy setting.
Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
@ -44,15 +44,15 @@ When a device joins a domain, a machine account is created. After joining the do
- Enabled
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
- Disabled
The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
1. [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
2. [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
- Not defined
@ -60,12 +60,12 @@ When a device joins a domain, a machine account is created. After joining the do
- Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md) to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md) to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
**Note**  
You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
 
@ -146,9 +146,9 @@ Select one of the following settings as appropriate for your environment to conf
- **Domain member: Digitally encrypt or sign secure channel data (always)**
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact

16
windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data--when-possible.md → windows/keep-secure/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
View File

@ -24,15 +24,15 @@ This setting determines whether all secure channel traffic that is initiated by
In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
@ -47,7 +47,7 @@ When a device joins a domain, a machine account is created. After joining the do
The domain member will not attempt to negotiate secure channel encryption.
**Note**  
If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) is enabled, this setting will be overwritten.
If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
 
@ -55,11 +55,11 @@ When a device joins a domain, a machine account is created. After joining the do
### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) to **Enabled**.
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set **Domain member: Digitally encrypt secure channel data (when possible)** to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md) to **Enabled**.
- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
### Location
@ -136,11 +136,11 @@ When a device joins a domain, a machine account is created. After it joins the d
Select one of the following settings as appropriate for your environment to configure the computers in your domain to encrypt or sign secure channel data:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- **Domain member: Digitally encrypt secure channel data (when possible)**
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data--when-possible.md)
- [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
### Potential impact

20
windows/keep-secure/domain-member-digitally-sign-secure-channel-data--when-possible.md → windows/keep-secure/domain-member-digitally-sign-secure-channel-data-when-possible.md
View File

@ -24,17 +24,17 @@ This setting determines whether all secure channel traffic that is initiated by
The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic:
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- Domain member: Digitally sign secure channel data (when possible)
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting.
When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated.
@ -46,20 +46,20 @@ When a device joins a domain, a machine account is created. After joining the do
- Disabled
Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) is enabled.
Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled.
- Not defined
### Best practices
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md) to **Enabled**.
- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md) to **Enabled**.
- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
**Note**  
You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
 
@ -138,9 +138,9 @@ When a device joins a domain, a machine account is created. After it joins the d
Because these policies are closely related and useful depending on your environment, select one of the following settings as appropriate to configure the devices in your domain to encrypt or sign secure channel data when possible.
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data--always.md)
- [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data--when-possible.md)
- [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
- **Domain member: Digitally sign secure channel data (when possible)**

0
windows/keep-secure/domain-member-require-strong--windows-2000-or-later--session-key.md → windows/keep-secure/domain-member-require-strong-windows-2000-or-later-session-key.md
View File

187
windows/keep-secure/enlightened-microsoft-apps-and-edp.md Normal file
View File

@ -0,0 +1,187 @@
---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
ms.assetid: 17C85EA3-9B66-4B80-B511-8F277CB4345F
keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
---
# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows SDK Insider Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
## Enlightened versus unenlightened apps
Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
**Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- Windows Desktop shows it as always running in enterprise mode.
- Windows **Save As** experiences only allow you to save your files as enterprise.
it won't use common controls for saving files or text boxes, and will work on personal and enterprise data simultaneously (for example, a browser that displays personal and enterprise web pages on tabs within a single instance).
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
- Microsoft Edge
- Internet Explorer 11
- Microsoft People
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Microsoft Photos
- Microsoft OneDrive
- Groove Music
- Notepad
- Microsoft Paint
- Microsoft Movies & TV
- Microsoft Messaging
## Adding enlightened Microsoft apps to the Protected Apps list
You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product name</th>
<th align="left">App info</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Edge</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.MicrosoftEdge</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>IE11</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>File Name:</strong> iexplore.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft People</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.People</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Word Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.Word</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Excel Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.Excel</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>PowerPoint Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.PowerPoint</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>OneNote</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.OneNote</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Outlook Mail and Calendar</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> microsoft.windowscommunicationsapps</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Photos</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Windows.Photos</p>
<p><strong>App Type:</strong> Universal AppMicrosoft.Windows.Photos</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft OneDrive</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> microsoft.microsoftskydrive</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Groove Music</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.ZuneMusic</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Notepad</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</code></p>
<p><strong>File Name:</strong> notepad.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Paint</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</code></p>
<p><strong>File Name:</strong> mspaint.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Movies &amp; TV</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.ZuneVideo</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Messaging</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Messaging</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
</tbody>
</table>
 
 
 

Some files were not shown because too many files have changed in this diff Show More