deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs4' into jdrs4wcd

Browse Source
This commit is contained in:
Jeanie Decker
2018-02-22 08:59:37 -08:00
parent 4f22ac72cd 8e59db63d3
commit f2980562ff
16 changed files with 491 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface-hub/change-history-surface-hub.md
View File

@ -21,6 +21,8 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
New or changed topic | Description
--- | ---
[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Updated instructions for custom settings using Microsoft Intune.
[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated instructions and scripts.
## January 2018

119
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 10/20/2017
ms.date: 02/21/2018
ms.localizationpriority: medium
---
@ -38,11 +38,11 @@ Use this procedure if you use Exchange on-premises.
3. Enable the remote mailbox.
2. Enable the remote mailbox.
Open your on-premises Exchange Management Shell with administrator permissions, and run this cmdlet.
```ps1
```PowerShell
Enable-RemoteMailbox 'HUB01@contoso.com' -RemoteRoutingAddress 'HUB01@contoso.com' -Room
```
>[!NOTE]
@ -54,7 +54,7 @@ Use this procedure if you use Exchange on-premises.
>
>msExchRecipientTypeDetails = 8589934592
2. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
3. After you've created the account, run a directory synchronization. When it's complete, go to the users page in your Office 365 admin center and verify that the account created in the previous steps has merged to online.
4. Connect to Microsoft Exchange Online and set some properties for the account in Office 365.
@ -62,8 +62,8 @@ Use this procedure if you use Exchange on-premises.
The next steps will be run on your Office 365 tenant.
```ps1
Set-ExecutionPolicy Unrestricted
```PowerShell
Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri 'https://ps.outlook.com/powershell' -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
@ -77,13 +77,13 @@ Use this procedure if you use Exchange on-premises.
If you havent created a compatible policy yet, use the following cmdlet—-this one creates a policy called "Surface Hubs". Once its created, you can apply the same policy to other device accounts.
```ps1
```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account.
```ps1
```PowerShell
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
```
@ -91,31 +91,44 @@ Use this procedure if you use Exchange on-premises.
Setting Exchange properties on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```ps1
```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse 'This is a Surface Hub room!'
```
7. Connect to Azure AD.
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```ps1
Connect-MsolService -Credential $cred
You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
```PowerShell
Install-Module -Name AzureAD
```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```PowerShell
Import-Module AzureAD
Connect-AzureAD -Credential $cred
```
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
You can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
```ps1
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
Get-MsolAccountSku
Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
```PowerShell
Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
Get-AzureADSubscribedSku | Select Sku*,*Units
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = SkuId You selected
$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$AssignedLicenses.AddLicenses = $License
$AssignedLicenses.RemoveLicenses = @()
Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-premises](#skype-for-business-on-premises), or [Skype for Business hybrid](#skype-for-business-hybrid).
@ -144,25 +157,25 @@ The following table lists the Office 365 plans and Skype for Business options.
1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment.
```ps1
Import-Module LyncOnlineConnector
```PowerShell
Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```ps1
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool 'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```ps1
```PowerShell
Get-CsOnlineUser -Identity HUB01@contoso.com| fl *registrarpool*
```
2. Assign Skype for Business license to your Surface Hub account.
3. Assign Skype for Business license to your Surface Hub account.
Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
@ -215,10 +228,10 @@ Use this procedure if you use Exchange online.
Start a remote PowerShell session on a PC and connect to Exchange. Be sure you have the right permissions set to run the associated cmdlets.
```ps1
Set-ExecutionPolicy Unrestricted
```PowerShell
Set-ExecutionPolicy RemoteSigned
$cred=Get-Credential -Message "Please use your Office 365 admin credentials"
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/PowerShell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $sess
```
@ -228,13 +241,13 @@ Use this procedure if you use Exchange online.
If you're changing an existing resource mailbox:
```ps1
```PowerShell
Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force)
```
If youre creating a new resource mailbox:
```ps1
```PowerShell
New-Mailbox -MicrosoftOnlineServicesID 'HUB01@contoso.com' -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force)
```
@ -246,13 +259,13 @@ Use this procedure if you use Exchange online.
If you havent created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once its created, you can apply the same policy to other device accounts.
```ps1
```PowerShell
$easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
```
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
```ps1
```PowerShell
Set-Mailbox 'HUB01@contoso.com' -Type Regular
Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.id
Set-Mailbox 'HUB01@contoso.com' -Type Room
@ -264,7 +277,7 @@ Use this procedure if you use Exchange online.
Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
```ps1
```PowerShell
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false AllowConflicts $false DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
```
@ -294,24 +307,38 @@ Use this procedure if you use Exchange online.
7. Connect to Azure AD.
You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
```PowerShell
Install-Module -Name AzureAD
```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```ps1
Connect-MsolService -Credential $cred
```PowerShell
Import-Module AzureAD
Connect-AzureAD -Credential $cred
```
8. Assign an Office 365 license.
The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account.
Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
```ps1
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation 'US'
Get-MsolAccountSku
Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
```PowerShell
Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
Get-AzureADSubscribedSku | Select Sku*,*Units
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = SkuId You selected
$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$AssignedLicenses.AddLicenses = $License
$AssignedLicenses.RemoveLicenses = @()
Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-premises](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
@ -323,22 +350,22 @@ In order to enable Skype for Business, your environment will need to meet the [p
1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.
```
Import-Module LyncOnlineConnector
```PowerShell
Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
```
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool
'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
```
If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet:
```
```PowerShell
Get-CsOnlineUser -Identity 'HUB01@contoso.com'| fl *registrarpool*
```
@ -368,7 +395,7 @@ For validation, you should be able to use any Skype for Business client (PC, And
To run this cmdlet, you will need to connect to one of the Skype front-ends. Open the Skype PowerShell and run:
```
```PowerShell
Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool registrarpoolfqdn -SipAddressType UserPrincipalName
```
@ -383,7 +410,7 @@ In a hybrid Skype environment, you have to create the user on-premises first, th
In order to have a functional Surface Hub account in a Skype hybrid configuration, create the Skype account as a normal user type account, instead of creating the account as a meetingroom. First follow the Exchange steps - either [online](#exchange-online) or [on-premises](#exchange-on-premises) - and, instead of enabling the user for Skype for Business Online as described, [enable the account](https://technet.microsoft.com/library/gg398711.aspx) on the on-premises Skype server:
```
```PowerShell
Enable-CsUser -Identity 'HUB01@contoso.com' -RegistrarPool "registrarpoolfqdn" -SipAddressType UserPrincipalName
```

40
devices/surface-hub/online-deployment-surface-hub-device-accounts.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 08/29/2017
ms.date: 02/21/2018
ms.localizationpriority: medium
---
@ -25,7 +25,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Be sure you have the right permissions set to run the associated cmdlets.
```PowerShell
Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy RemoteSigned
$org='contoso.microsoft.com'
$cred=Get-Credential admin@$org
$sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
@ -71,36 +71,51 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
5. Connect to Azure AD.
You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
```PowerShell
Install-Module -Name AzureAD
```
You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
```PowerShell
Connect-MsolService -Credential $cred
Import-Module AzureAD
Connect-AzureAD -Credential $cred
```
6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
```PowerShell
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
```
7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).
Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
```PowerShell
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -UsageLocation "US"
Get-MsolAccountSku
Set-MsolUserLicense -UserPrincipalName 'HUB01@contoso.com' -AddLicenses $strLicense
Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
Get-AzureADSubscribedSku | Select Sku*,*Units
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = SkuId You selected
$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$AssignedLicenses.AddLicenses = $License
$AssignedLicenses.RemoveLicenses = @()
Set-AzureADUserLicense -ObjectId "HUB01@contoso.com" -AssignedLicenses $AssignedLicenses
```
8. Enable the device account with Skype for Business.
If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366).
- Start by creating a remote PowerShell session from a PC.
```PowerShell
Import-Module LyncOnlineConnector
Import-Module SkypeOnlineConnector
$cssess=New-CsOnlineSession -Credential $cred
Import-PSSession $cssess -AllowClobber
```
@ -108,12 +123,13 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
- Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
```PowerShell
Get-CsOnlineUser -Identity alice@contoso.com| fl *registrarpool*
(Get-CsTenant).TenantPoolExtension
```
OR by setting a variable
```PowerShell
$strRegistrarPool = (Get-CsOnlineUser -Identity alice@contoso.com).RegistrarPool
$strRegistrarPool = (Get-CsTenant).TenantPoolExtension
$strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
```
- Enable the Surface Hub account with the following cmdlet:

9
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1403,6 +1403,15 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, next major update:</p>
<ul>
<li>Display/DisablePerProcessDpiForApps</li>
<li>Display/EnablePerProcessDpi</li>
<li>Display/EnablePerProcessDpiForApps</li>
<ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md)</td>
<td style="vertical-align:top"><p>Updated the XSD and Plug-in profile example for VPNv2 CSP.</p>

9
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -943,6 +943,15 @@ The following diagram shows the Policy configuration service provider in tree fo
### Display policies
<dl>
<dd>
<a href="./policy-csp-display.md#display-disableperprocessdpiforapps" id="display-disableperprocessdpiforapps">Display/DisablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="./policy-csp-display.md#display-enableperprocessdpi" id="display-enableperprocessdpi">Display/EnablePerProcessDpi</a>
</dd>
<dd>
<a href="./policy-csp-display.md#display-enableperprocessdpiforapps" id="display-enableperprocessdpiforapps">Display/EnablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="./policy-csp-display.md#display-turnoffgdidpiscalingforapps" id="display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
</dd>

187
windows/client-management/mdm/policy-csp-display.md
View File

@ -6,12 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/30/2018
ms.date: 02/05/2018
---
# Policy CSP - Display
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -19,6 +21,15 @@ ms.date: 01/30/2018
## Display policies
<dl>
<dd>
<a href="#display-disableperprocessdpiforapps">Display/DisablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="#display-enableperprocessdpi">Display/EnablePerProcessDpi</a>
</dd>
<dd>
<a href="#display-enableperprocessdpiforapps">Display/EnablePerProcessDpiForApps</a>
</dd>
<dd>
<a href="#display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
</dd>
@ -28,6 +39,180 @@ ms.date: 01/30/2018
</dl>
<hr/>
<!--Policy-->
<a href="" id="display-disableperprocessdpiforapps"></a>**Display/DisablePerProcessDpiForApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to disable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="display-enableperprocessdpi"></a>**Display/EnablePerProcessDpi**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario will be blurry until you log out and back in to Windows.
When you enable this policy some blurry applications will be crisp after they are restarted, without requiring the user to log out and back in to Windows.
Be aware of the following:
Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display that has the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
Per Process System DPI will not work for all applications as some older desktop applications will always be blurry on high DPI displays.
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. If you disable or do not configure this setting, Per Process System DPI will not apply to any processes on the system.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Disable.
- 1 - Enable.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="display-enableperprocessdpiforapps"></a>**Display/EnablePerProcessDpiForApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to enable Per-Process System DPI for a semicolon-separated list of applications. Applications can be specified either by using full paths or with filenames and extensions. This policy will override the system-wide default value.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->

3
windows/configuration/manage-windows-endpoints-version-1709.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.author: brianlic
ms.date: 11/21/2017
---
# Manage Windows 10 connection endpoints
@ -318,7 +318,6 @@ If you turn off traffic for these endpoints, users won't be able to save documen
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
ently used documents.
| Source process | Protocol | Destination |
|----------------|----------|------------|

1
windows/deployment/TOC.md
View File

@ -15,6 +15,7 @@
### [Overview of Windows AutoPilot](windows-autopilot/windows-10-autopilot.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
#### [Windows 10 downgrade paths](upgrade/windows-10-downgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Windows 10 volume license media](windows-10-media.md)

10
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -31,7 +31,7 @@ To request an Olympia Corp account, please fill out the survey at [https://aka.m
## Enrollment guidelines
Welcome to Olympia Corp. Here are the steps to add your account to your PC.
Welcome to Olympia Corp. Here are the steps needed to Enroll.
As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade.
@ -43,7 +43,9 @@ Choose one of the following two enrollment options:
<a id="enrollment-keep-current-edition"></a>
### Keep your current Windows 10 edition
### Set up an Azure Active Directory REGISTERED Windows 10 device
- This is the Bring Your Own Device (BYOD) method - your device will receive Olympia policies and features, but a new account will not be created ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices-windows10-setup)
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@ -77,7 +79,9 @@ Choose one of the following two enrollment options:
<a id="enrollment-upgrade-to-enterprise"></a>
### Upgrade your Windows 10 edition from Pro to Enterprise
### Set up Azure Active Directory JOINED Windows 10 device
- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account ([additional info]).(https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup)
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your PC (see [local administrator](https://support.microsoft.com/en-us/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).

2
windows/deployment/upgrade/upgrade-readiness-additional-insights.md
View File

@ -18,7 +18,7 @@ This topic provides information on additional features that are available in Upg
The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data.
> [!NOTE]
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, data will be collected on all sites visited by Microsoft Edge on computers running Windows 10 version 1803 (including Insider Preview builds) or newer. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
> Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees.
### Install prerequisite security update for Internet Explorer

160
windows/deployment/upgrade/windows-10-downgrade-paths.md Normal file
View File

@ -0,0 +1,160 @@
---
title: Windows 10 downgrade paths (Windows 10)
description: You can downgrade Windows 10 if the downgrade path is supported.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 02/15/2018
---
# Windows 10 downgrade paths
**Applies to**
- Windows 10
## Downgrading Windows 10
This topic provides a summary of supported Windows 10 downgrade paths. You might need to downgrade the edition of Windows 10, for example, if an Enterprise license is expired.
If a downgrade is supported, then your apps and settings can be migrated from the current edition to the downgraded edition. If a path is not supported, then a clean install is required.
To perform a downgrade, you can use the same methods as when performing an [edition upgrade](windows-10-edition-upgrades.md).
Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 is not supported, unless you are performing a rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used.
>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown below.
### Supported Windows 10 downgrade paths
>[!NOTE]
>Edition changes that are considered upgrades (Ex: Pro to Enterprise) are not shown here. Switching between different editions of Pro is supported. This is not strictly considered an edition downgrade, but is included here for clarity.
✔ = Supported downgrade path<br>
<br>
<table border="0" cellpadding="1">
<tr>
<td colspan="10" align="center">Destination edition</td>
</tr>
<tr>
<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td></td>
<td>Home</td>
<td>Pro</td>
<td>Pro for Workstations</td>
<td>Pro Education</td>
<td>S</td>
<td>Education</td>
<td>Enterprise LTSC</td>
<td>Enterprise</td>
</tr>
<tr>
<td rowspan="9" nowrap="nowrap" valign="middle">Starting edition</td>
</tr>
<tr>
<td>Home</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Pro</td>
<td></td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Pro for Workstations</td>
<td></td>
<td align="center"></td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Pro Education</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>S</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Education</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise LTSC</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td align="center"></td>
<td></td>
<td></td>
</tr>
</table>
## Related Topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)<br>
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)<br>
[Windows 10 upgrade paths](windows-10-upgrade-paths.md)

5
windows/deployment/upgrade/windows-10-edition-upgrades.md
View File

@ -91,6 +91,11 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported
`changepk.exe /ProductKey <enter your new product key here>`
You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise.
`Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43`
## Upgrade by manually entering a product key
If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.

4
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -29,6 +29,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
D = Edition downgrade; personal data is maintained, applications and settings are removed.
<br>
<table border="0" cellpadding="1">
<tr>
<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
@ -380,7 +381,8 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)<br>
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)<br>
[Windows 10 downgrade paths](windows-10-downgrade-paths.md)

6
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -31,9 +31,9 @@ This subcategory allows you to audit events generated by changes to security gro
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
**Events List:**

1
windows/security/threat-protection/change-history-for-threat-protection.md
View File

@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc
New or changed topic | Description
---------------------|------------
[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
## January 2018
|New or changed topic |Description |

2
windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
View File

@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values