deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into pua-rs1

Browse Source 
# Conflicts:
#	windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
This commit is contained in:
Dolcita Montemayor 2016-08-03 11:14:12 +10:00
commit f2f683a73c
219 changed files with 23601 additions and 1069 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -13,5 +13,4 @@ packages.config
windows/keep-secure/index.md
# User-specific files
.vs/
.vs/

183
.openpublishing.publish.config.json
View File

@ -1,78 +1,107 @@
{
"build_entry_point": "",
"git_repository_url_open_to_public_contributors": "",
"docsets_to_publish": [
{
"docset_name": "microsoft-edge",
"build_output_subfolder": "browsers/edge",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "internet-explorer",
"build_output_subfolder": "browsers/internet-explorer",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "windows",
"build_output_subfolder": "windows",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "surface",
"build_output_subfolder": "devices/surface",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "surface-hub",
"build_output_subfolder": "devices/surface-hub",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "mdop",
"build_output_subfolder": "mdop",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "education",
"build_output_subfolder": "education",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": "false",
"type_mapping": {
"Conceptual": "Content"
}
}
],
"notification_subscribers": ["brianlic@microsoft.com"],
"branches_to_filter": [""]
}
"build_entry_point": "",
"need_generate_pdf": false,
"need_generate_intellisense": false,
"docsets_to_publish": [
{
"docset_name": "education",
"build_source_folder": "education",
"build_output_subfolder": "education",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
"build_output_subfolder": "browsers/internet-explorer",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "itpro-hololens",
"build_source_folder": "itpro-hololens",
"build_output_subfolder": "itpro-hololens",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "op"
},
{
"docset_name": "mdop",
"build_source_folder": "mdop",
"build_output_subfolder": "mdop",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
"build_output_subfolder": "browsers/edge",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "surface",
"build_source_folder": "devices/surface",
"build_output_subfolder": "devices/surface",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "surface-hub",
"build_source_folder": "devices/surface-hub",
"build_output_subfolder": "devices/surface-hub",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
},
{
"docset_name": "windows",
"build_source_folder": "windows",
"build_output_subfolder": "windows",
"locale": "en-us",
"version": 0,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content"
}
}
],
"notification_subscribers": [
"brianlic@microsoft.com"
],
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "",
"skip_source_output_uploading": false,
"dependent_repositories": []
}

1
education/TOC.md Normal file
View File

@ -0,0 +1 @@
# [Index](index.md)

1
education/index.md Normal file
View File

@ -0,0 +1 @@
# Index test file for Open Publishing

1
itpro-hololens/TOC.md Normal file
View File

@ -0,0 +1 @@
# [Index](index.md)

37
itpro-hololens/docfx.json Normal file
View File

@ -0,0 +1,37 @@
{
"build": {
"content": [
{
"files": [
"**/*.md"
],
"exclude": [
"**/obj/**",
"itpro-hololens/**",
"**/includes/**"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"itpro-hololens/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {},
"fileMetadata": {},
"template": [
null
],
"dest": "itpro-hololens"
}
}

1
itpro-hololens/index.md Normal file
View File

@ -0,0 +1 @@
# Index test file for Open Publishing

1
itpro/hololens/TOC.md Normal file
View File

@ -0,0 +1 @@
# [Index](index.md)

37
itpro/hololens/docfx.json Normal file
View File

@ -0,0 +1,37 @@
{
"build": {
"content": [
{
"files": [
"**/*.md"
],
"exclude": [
"**/obj/**",
"itpro-hololens/**",
"**/includes/**"
]
}
],
"resource": [
{
"files": [
"**/*.png",
"**/*.jpg"
],
"exclude": [
"**/obj/**",
"itpro-hololens/**",
"**/includes/**"
]
}
],
"overwrite": [],
"externalReference": [],
"globalMetadata": {},
"fileMetadata": {},
"template": [
null
],
"dest": "itpro-hololens"
}
}

1
itpro/hololens/index.md Normal file
View File

@ -0,0 +1 @@
# Index test file for Open Publishing

19
windows/keep-secure/TOC.md
View File

@ -1,8 +1,5 @@
# [Keep Windows 10 secure](index.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
## [Device Guard certification and compliance](device-guard-certification-and-compliance.md)
### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)
### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md)
## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
@ -14,6 +11,16 @@
### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
## [Device Guard deployment guide](device-guard-deployment-guide.md)
### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md)
### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md)
#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md)
#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md)
#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md)
#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md)
### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
@ -704,8 +711,13 @@
##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
@ -827,7 +839,6 @@
###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
### [Device Guard deployment guide](device-guard-deployment-guide.md)
### [Microsoft Passport guide](microsoft-passport-guide.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
### [Windows 10 security overview](windows-10-security-guide.md)

2
windows/keep-secure/advanced-security-auditing-faq.md
View File

@ -125,7 +125,7 @@ Often it is not enough to know simply that an object such as a file or folder wa
## <a href="" id="bkmk-8"></a>How do I know when changes are made to access control settings, by whom, and what the changes were?
To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor

15
windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -14,20 +14,22 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status.
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> **Note**&nbsp;&nbsp;By default, the queues are sorted from newest to oldest.
> [!NOTE]
> By default, the queues are sorted from newest to oldest.
The following table and screenshot demonstrate the main areas of the **Alerts queue**.
![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png)
![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq2.png)
Highlighted area|Area name|Description
:---|:---|:---
@ -59,7 +61,8 @@ There are three mechanisms to pivot the queue against:
- **30 days**
- **6 months**
> **Note**&nbsp;&nbsp;You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
> [!NOTE]
> You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png)
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)

38
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -11,22 +11,22 @@ author: mjcaparas
---
# Assign user access to the Windows Defender ATP portal
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Azure Active Directory
<!--Office 365-->
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). User can be assigned one of the following levels of permissions:
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read only access
**Full access** <br>
Users with full access can log in, view all system information as well as resolve alerts, submit files for deep analysis, and download the onboarding package.
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
**Read only access** <br>
@ -34,13 +34,21 @@ Users with read only access can log in, view all alerts, and related information
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
<!--
Your administrator can assign roles using the Office 365 portal, or in the Azure classic portal, or by using the AAD module for Windows PowerShell.
For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).-->
Use the following steps to assign security roles:
- Preparations:
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
Use the following cmdlets to perform the security role assignment:
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read only** access, assign users to the security reader role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
- Full access:<br>```Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”```
- Read only access:<br>```Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

20
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -14,23 +14,27 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## RELEASE: Windows 10, version 1607
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
- [Remote Credential Guard](remote-credential-guard.md)
- [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
- [Windows Defender Offline in Windows 10](windows-defender-offline.md)
- [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
- [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
- [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)
- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md)
- [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)
- [Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New |
@ -43,7 +47,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
|New or changed topic | Description |
|----------------------|-------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. |
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
| [Windows security baselines](windows-security-baselines.md) | New |
@ -56,7 +60,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. |
| [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content |
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.|
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview |
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New |
## April 2016
@ -70,7 +74,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
|New or changed topic | Description |
|----------------------|-------------|
|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.|
|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 is required to manage AppLocker by using Group Policy.|
|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.|
## February 2016

87
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Configure an Azure Active Directory application for SIEM integration
description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
keywords: configure aad for siem integration, siem integration, application, oauth 2
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure an Azure Active Directory application for SIEM integration
**Applies to:**
- Azure Active Directory
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com).
2. Select **Active Directory**.
3. Select your tenant.
4. Click **Applications**, then select **Add** to create a new application.
5. Click **Add an application my organization is developing**.
6. Choose a client name for the application, for example, *Alert Export Client*.
7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
9. Confirm the request details and verify that you have successfully added the app.
10. Select the application you've just created from the directory application list and click the **Configure** tab.
11. Scroll down to the **keys** section and select a duration for the application key.
12. Type the following URLs in the **Reply URL** field:
- `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
- `https://localhost:44300/WDATPconnector`
13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
14. Open a web browser and connect to the following URL: <br>
```text
https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234
```
An Azure login page appears.
> [!NOTE]
> - Replace *tenant ID* with your actual tenant ID.
> - Keep the client secret as is. This is a dummy value, but the parameter must appear.
15. Sign in with the credentials of a user from your tenant.
16. Click **Accept** to provide consent. Ignore the error.
17. Click **Application configuration** under your tenant.
18. Click **Permissions to other applications**, then select **Add application**.
19. Click **All apps** from the **SHOW** field and submit.
20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
21. Submit your changes.
22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

93
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,93 @@
---
title: Configure HP ArcSight to consume Windows Defender ATP alerts
description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure HP ArcSight to consume Windows Defender ATP alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
## Before you begin
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
> [!NOTE]
> **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
> **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
>
- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
2. Save the *wdatp-connector.properties* file into a folder of your choosing.
3. Open an elevated command-line:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
5. In the form fill in the following required fields with these values:
>[!NOTE]
>All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Field</th>
<th>Value</th>
</tr>
<tr>
<td>Configuration File</td>
<td>Type in the name of the client property file. It must match the client property file.</td>
</tr>
<td>Events URL</td>
<td>`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`</td>
<tr>
<td>Authentication Type</td>
<td>OAuth 2</td>
</tr>
<td>OAuth 2 Client Properties file</td>
<td>Select *wdatp-connector.properties*.</td>
<tr>
<td>Refresh Token</td>
<td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td>
</tr>
</tr>
</table>
6. Select **Next**, then **Save**.
7. Run the connector. You can choose to run in Service mode or Application mode.
8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)

35
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -14,14 +14,17 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Group Policy
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
> [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
> **Note**&nbsp;&nbsp;To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
### Onboard endpoints
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
@ -45,10 +48,11 @@ author: mjcaparas
9. Click **OK** and close any open GPMC windows.
## Additional Windows Defender ATP configuration settings
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
configuration package:
@ -66,20 +70,24 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
6. Choose to enable or disable sample sharing from your endpoints.
>[!NOTE]
> If you don't set a value, the default value is to enable sample collection.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
@ -93,15 +101,16 @@ For security reasons, the package used to offboard endpoints will expire 30 days
9. Click **OK** and close any open GPMC windows.
## Monitor endpoint configuration
## Monitor endpoint configuration
With Group Policy there isnt an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor endpoints using the portal
## Monitor endpoints using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines view**.
3. Verify that endpoints are appearing.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
> [!NOTE]
> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics

18
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14379 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -35,7 +36,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
@ -53,13 +54,15 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> **Note**&nbsp;&nbsp;The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
> [!NOTE]
> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
### Offboard and monitor endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@ -82,7 +85,8 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding |
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> **Note**&nbsp;&nbsp;The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
## Related topics

88
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -12,52 +12,81 @@ author: mjcaparas
# Configure endpoints using System Center Configuration Manager
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
- System Center 2012 Configuration Manager or later versions
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager.
## Configure endpoints using System Center Configuration Manager earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
### Onboard endpoints
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch), version 1511
- System Center Configuration Manager (current branch), version 1602
### Onboard endpoints
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Offboard endpoints
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
The configuration is set through the following registry key entry:
```text
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>
Key type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint
The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
@ -65,7 +94,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Monitor endpoint configuration
Monitoring with SCCM consists of two parts:
@ -83,12 +112,25 @@ Monitoring with SCCM consists of two parts:
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
**Check that the endpoints are compliant with the Windows Defender ATP service:**<br>
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
Monitor the following registry key entry:
```
Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx).
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

61
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -11,9 +11,18 @@ author: mjcaparas
---
# Configure endpoints using a local script
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
@ -21,11 +30,11 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
@ -35,24 +44,46 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
## Offboard endpoints using a local script
## Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
```text
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>
Name type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint
The default value in case the registry key doesnt exist is 1.
## Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
@ -62,6 +93,18 @@ For security reasons, the package used to offboard endpoints will expire 30 days
5. Press the **Enter** key or click **OK**.
## Monitor endpoint configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor endpoints using the portal
1. Go to the Windows Defender ATP portal.
2. Click **Machines view**.
3. Verify that endpoints are appearing.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)

11
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender ATP endpoints
description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager
description: Configure endpoints so that they are onboarded to the service.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:

167
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender ATP endpoint proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -15,168 +15,91 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server
- Configure the proxy server manually using a static proxy
- Configure the proxy server manually using Netsh
## Configure the proxy server manually using a static proxy
Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
## Configure Web Proxy Auto Detect (WPAD) settings and proxy server
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings.
Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server.
1. Click **Start** and select **Settings**.
2. Click **Network & Internet**.
3. Select **Proxy**.
4. Verify that the **Automatically detect settings** option is set to On.
![Image showing the proxy settings configuration page](images/proxy-settings.png)
5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect.
## Configure the proxy server manually using Netsh
If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP.
Use Netsh to configure the proxy settings to enable connectivity.
You can configure the endpoint by using any of these methods:
- Importing the configured proxy settings to WinHTTP
- Configuring the proxy settings manually to WinHTTP
After configuring the endpoints, you'll need to verify that the correct proxy settings were applied.
**Import the configured proxy settings to WinHTTP**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
```text
netsh winhttp import proxy source=ie
```
An output showing the applied WinHTTP proxy settings is displayed.
**Configure the proxy settings manually to WinHTTP**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
```text
proxy [proxy-server=] ProxyServerName:PortNumber
```
Replace *ProxyServerName* with the fully qualified domain name of the proxy server.
Replace *PortNumber* with the port number that you want to configure the proxy server with.
An output showing the applied WinHTTP proxy settings is displayed.
**Verify that the correct proxy settings were applied**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
The registry key that this policy sets can be found at:
```HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer```
The policy and the registry key takes the following string format:
```text
<server name or ip>:<port>
```
netsh winhttp show proxy
```
For example: 10.0.0.6:8080
For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx)
If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings.
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
- *.blob.core.windows.net
- crl.microsoft.com
- eu.vortex-win.data.microsoft.com
- sevillegwcus.microsoft.com
- sevillegweus.microsoft.com
- sevillegwneu.microsoft.com
- sevillegwweu.microsoft.com
- us.vortex-win.data.microsoft.com
- www.microsoft.com
Primary Domain Controller | .Microsoft.com DNS record
:---|:---
Central US | winatp-gw-cus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
East US (2)| winatp-gw-eus.microsoft.com <br> us.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
West Europe | winatp-gw-weu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
North Europe | winatp-gw-neu.microsoft.com <br> eu.vortex-win.data.microsoft.com <br> crl.microsoft.com <br>*.blob.core.windows.net
<br>
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs.
## Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on:
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
- [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649)
- [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148)
2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint.
2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive.
3. Open an elevated command-line:
3. Open an elevated command-line:
a. Click **Start** and type **cmd**.
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**:
```
HardDrivePath\PsExec.exe -s cmd.exe
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
Replace *HardDrivePath* with the path where the PsTools Suite was extracted to:
![Image showing the command line](images/psexec-cmd.png)
5. Enter the following command and press **Enter**:
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
```text
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp
```
Replace *HardDrivePath* with the path where the PortQry utility was extracted to:
![Image showing the command line](images/portqry.png)
6. Verify that the output shows that the name is **resolved** and connection status is **listening**.
5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
7. Repeat the same steps for the remaining URLs with the following arguments:
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example:
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
```
- portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp
- portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp
- portqry.exe -n www.microsoft.com -e 80 -p tcp
- portqry.exe -n crl.microsoft.com -e 80 -p tcp
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**.
If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)

43
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Configure security information and events management tools
description: Configure supported security information and events management tools to receive and consume alerts.
keywords: configure siem, security information and events management tools, splunk, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure security information and events management (SIEM) tools to consume alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Windows Defender ATP currently supports the following SIEM tools:
- Splunk
- HP ArcSight
To use either of these supported SIEM tools you'll need to:
- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
## In this section
Topic | Description
:---|:---
[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.

110
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,110 @@
---
title: Configure Splunk to consume Windows Defender ATP alerts
description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure Splunk to consume Windows Defender ATP alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
- Contact the Windows Defender ATP team to get your refresh token
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
## Configure Splunk
1. Login in to Splunk.
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
3. Click **REST** under **Local inputs**.
> [!NOTE]
> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
4. Click **New**.
5. Type the following values in the required fields, then click **Save**:
> [!NOTE]
>All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Field</th>
<th>Value</th>
</tr>
<tr>
<td>Endpoint URL</td>
<td> https://<i></i>DataAccess-PRD.trafficmanager.net:444/api/alerts</td>
</tr>
<tr>
<td>HTTP Method</td>
<td>GET</td>
</tr>
<td>Authentication Type</td>
<td>oauth2</td>
<tr>
<td>OAuth 2 Token Refresh URL</td>
<td> Value taken from AAD application</td>
</tr>
<tr>
<td>OAuth 2 Client ID</td>
<td>Value taken from AAD application</td>
</tr>
<tr>
<td>OAuth 2 Client Secret</td>
<td>Value taken from AAD application</td>
</tr>
<tr>
<td>Response type</td>
<td>Json</td>
</tr>
<tr>
<td>Response Handler</td>
<td>JSONArrayHandler</td>
</tr>
<tr>
<td>Polling Interval</td>
<td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td>
</tr>
<tr>
<td>Set sourcetype</td>
<td>From list</td>
</tr>
<tr>
<td>Source type</td>
<td>\_json</td>
</tr>
</tr>
</table>
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
You can use the following query as an example in Splunk: <br>
```source="rest://windows atp alerts"|spath|table*```
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

11
windows/keep-secure/credential-guard.md
View File

@ -12,7 +12,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
- Windows Server 2016
Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
@ -158,6 +158,7 @@ First, you must add the virtualization-based security features. You can do this
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
@ -183,6 +184,7 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
@ -290,7 +292,7 @@ Some ways to store credentials are not protected by Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
@ -328,7 +330,7 @@ Enabling compound authentication also enables Kerberos armoring, which provides
### Deploying machine certificates
If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain.
If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device.
The same security procedures used for issuing smart cards to users should be applied to machine certificates.
@ -348,6 +350,7 @@ On devices that are running Credential Guard, enroll the devices using the machi
``` syntax
CertReq -EnrollCredGuardCert MachineAuthentication
```
> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
 
@ -364,6 +367,7 @@ By using an authentication policy, you can ensure that users only sign into devi
``` syntax
.\set-IssuancePolicyToGroupLink.ps1 IssuancePolicyName:”<name of issuance policy>groupOU:”<Name of OU to create>groupName:”<name of Universal security group to create>
```
### Deploy the authentication policy
Before setting up the authentication policy, you should log any failed attempt to apply an authentication policy on the KDC. To do this in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
@ -388,6 +392,7 @@ Now you can set up an authentication policy to use Credential Guard.
14. Click **OK** to create the authentication policy.
15. Close Active Directory Administrative Center.
> [!NOTE]
> When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
 

18
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Dashboard** displays a snapshot of:
- The latest active alerts on your network
@ -40,18 +41,18 @@ You can view the overall number of active ATP alerts from the last 30 days in yo
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
## Status
The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
@ -84,7 +85,8 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> **Note**&nbsp;&nbsp;The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
### Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

32
windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -14,13 +14,15 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> **Note**&nbsp;&nbsp;This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq).
> [!NOTE]
> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information.
## What data does Windows Defender ATP collect?
@ -28,7 +30,7 @@ Microsoft will collect and store information from your configured endpoints in a
Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version).
Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization
@ -39,10 +41,10 @@ Microsoft does not mine your data for advertising or for any other purpose other
## Do I have the flexibility to select where to store my data?
Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
## Is my data isolated from other customer data?
Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection.
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
@ -58,18 +60,14 @@ Additionally, Microsoft conducts background verification checks of certain opera
No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which dont contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How long will Microsoft store my data? What is Microsofts data retention policy?
Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsofts systems to make it unrecoverable after 90 days (from contract termination or expiration).
**At service onboarding**<br>
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsofts compliance standards.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
## Is there a difference between how Microsoft handles data for the preview programs and for General Availability?
Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance:
1. You choose Europe as your datacenter, and
2. You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis).
In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter.
This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if youd like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com).

32
windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Windows Defender compatibility
description: Learn about how Windows Defender works with Windows Defender ATP.
keywords: windows defender compatibility, defender, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Windows Defender compatibility
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).

19
windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
View File

@ -30,11 +30,11 @@ These applications can increase the risk of your network being infected with mal
Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.
**Enable PUA protection in SCCM and Intune**
##Enable PUA protection in SCCM and Intune
The PUA feature is available for enterprise users who are running System Center Configuration Manager (SCCM) or Intune in their infrastructure.
***Configure PUA in SCCM***
###Configure PUA in SCCM
For SCCM users, PUA is enabled by default. See the following topics for configuration details:
@ -43,7 +43,8 @@ If you are using these versions | See these topics
System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)<br>[Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings)
System Center 2012 R2 Endpoint Protection<br>System Center 2012 Configuration Manager<br>System Center 2012 Configuration Manager SP1<br>System Center 2012 Configuration Manager SP2<br>System Center 2012 R2 Configuration Manager<br>System Center 2012 Endpoint Protection SP1<br>System Center 2012 Endpoint Protection<br>System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA)
***Use PUA audit mode in SCCM***
<br>
###Use PUA audit mode in SCCM
You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and youd like to avoid any false positives.
@ -62,16 +63,16 @@ You can use PowerShell to detect PUA without blocking them. In fact, you can run
> PUA events are reported in the Windows Event Viewer and not in SCCM.
***Configure PUA in Intune***
###Configure PUA in Intune
PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details.
***Use PUA audit mode in Intune***
###Use PUA audit mode in Intune
You can detect PUA without blocking them from your client. Gain insights into what can be blocked.
**View PUA events**
##View PUA events
PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. To view PUA events:
@ -83,18 +84,18 @@ PUA events are reported in the Windows Event Viewer and not in SCCM or Intune. T
You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx).
**What PUA notifications look like**
##What PUA notifications look like
When a detection occurs, end users who enabled the PUA detection feature will see the following notification:
To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**.
**PUA threat-naming convention**
##PUA threat file-naming convention
When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.
**PUA blocking conditions**
##PUA blocking conditions
PUA protection quarantines the file so they wont run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions:
* The file is being scanned from the browser

4
windows/keep-secure/enlightened-microsoft-apps-and-wip.md
View File

@ -10,11 +10,11 @@ ms.pagetype: security
author: eross-msft
---
# List of enlightened Microsoft apps for use with Windows Information Protection(WIP)
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 6017
- Windows 10, version 1607
- Windows 10 Mobile
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.

208
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Review events and errors on endpoints with Event Viewer
description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -15,16 +15,19 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Event Viewer
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
@ -35,7 +38,8 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
> **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
> [!NOTE]
> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
@ -49,39 +53,39 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
</tr>
<tr>
<td>1</td>
<td>Windows Advanced Threat Protection service started (Version ```variable```).</td>
<td>Windows Defender Advanced Threat Protection service started (Version ```variable```).</td>
<td>Occurs during system start up, shut down, and during onbboarding.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>2</td>
<td>Windows Advanced Threat Protection service shutdown.</td>
<td>Windows Defender Advanced Threat Protection service shutdown.</td>
<td>Occurs when the endpoint is shut down or offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>3</td>
<td>Windows Advanced Threat Protection service failed to start. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.</td>
<td>Service did not start.</td>
<td>Review other messages to determine possible cause and troubleshooting steps.</td>
</tr>
<tr>
<td>4</td>
<td>Windows Advanced Threat Protection service contacted the server at ```variable```.</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
This URL will match that seen in the Firewall or network activity.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>5</td>
<td>Windows Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
</tr>
<tr>
<td>6</td>
<td>Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Onboarding must be run before starting the service.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
@ -89,72 +93,66 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
</tr>
<tr>
<td>7</td>
<td>Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>8</td>
<td>Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
<td>Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.</td>
<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
</td>
<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>9</td>
<td>Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>10</td>
<td>Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>11</td>
<td>Windows Advanced Threat Protection service completed.</td>
<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The endpoint onboarded correctly.</td>
<td>Normal operating notification; no action required.<br>
It may take several hours for the endpoint to appear in the portal.</td>
</tr>
<tr>
<td>12</td>
<td>Windows Advanced Threat Protection failed to apply the default configuration.</td>
<td>Service was unable to apply configuration from the processing servers.</td>
<td>This is a server error and should resolve after a short period.</td>
<td>Windows Defender Advanced Threat Protection failed to apply the default configuration.</td>
<td>Service was unable to apply the default configuration.</td>
<td>This error should resolve after a short period of time.</td>
</tr>
<tr>
<td>13</td>
<td>Service machine ID calculated: ```variable```</td>
<td>Windows Defender Advanced Threat Protection machine ID calculated: ```variable```.</td>
<td>Normal operating process.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>14</td>
<td>Service cannot calculate machine ID. Failure code: ```variable```</td>
<td>Internal error.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
</tr>
<tr>
<td>15</td>
<td>Windows Advanced Threat Protection cannot start command channel with URL: ```variable```</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
</tr>
<tr>
<td>17</td>
<td>Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)<br>
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>18</td>
@ -171,44 +169,45 @@ If this error persists after a system restart, ensure all Windows updates have f
</tr>
<tr>
<td>20</td>
<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```</td>
<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```.</td>
<td>Internal error.</td>
<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
</tr>
<tr>
<td>25</td>
<td>Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable```</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>26</td>
<td>Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.<br>
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>27</td>
<td>Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```.</td>
<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
<td>28</td>
<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>30</td>
<td>Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```.</td>
<td>Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
@ -216,24 +215,115 @@ Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
<td>31</td>
<td>Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
</tr>
<tr>
<td>32</td>
<td>Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1</td>
<td>An error occurred during offboarding.</td>
<td>Reboot the machine.</td>
</tr>
<tr>
<td>33</td>
<td>Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
</tr>
<tr>
<td>34</td>
<td>Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```</td>
<td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)</td>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>35</td>
<td>Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
</td>
<td>Check for errors with the Windows telemetry service.</td>
</tr>
<tr>
<td>36</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>37</td>
<td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
<td>The machine has almost used its allocated quota of the current 24-hour window. Its about to be throttled.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>38</td>
<td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>39</td>
<td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>40</td>
<td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine has low battery level and will contact the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>41</td>
<td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine doesnt have low battery level and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>42</td>
<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
<td>Internal error. The service failed to start.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>43</td>
<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
<td>Internal error. The service failed to start.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>44</td>
<td>Offboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The service was offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>45</td>
<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>46</td>
<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
<td>Normal operating notification; no action required. The service will try to start the session every minute.</td>
</tr>
<tr>
<td>47</td>
<td>Successfully registered and started the event trace session - recovered after previous failed attempts.</td>
<td>This event follows the previous event after successfully starting of the ETW session.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>48</td>
<td>Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.</td>
<td>Failed to add a provider to ETW session. As a result, the provider events arent reported.</td>
<td>Check the error code. If the error persists contact Support.</td>
</tr>
</tr>
</tbody>

1
windows/keep-secure/guidance-and-best-practices-wip.md
View File

@ -21,6 +21,7 @@ This section includes info about the enlightened Microsoft apps, including how t
## In this section
|Topic |Description |
|------|------------|
|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. |
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |

BIN
windows/keep-secure/images/alert-details.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 74 KiB

After

Width:  |  Height:  |  Size: 74 KiB

BIN
windows/keep-secure/images/alertsq2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 60 KiB

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/keep-secure/images/machines-view.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/keep-secure/images/onboardingstate.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 151 KiB

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/keep-secure/images/portal-image.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 178 KiB

After

Width:  |  Height:  |  Size: 178 KiB

1
windows/keep-secure/implement-microsoft-passport-in-your-organization.md
View File

@ -340,6 +340,7 @@ Youll need this software to set Windows Hello for Business policies in your e
<li>Azure AD subscription</li>
<li>[Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)</li>
<li>AD CS with NDES</li>
<<<<<<< HEAD
<li>Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work</li>
</ul></td>
</tr>

35
windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization.
There are three alert severity levels, described in the following table.
@ -43,17 +44,39 @@ Details displayed about the alert include:
- When the alert was last observed
- Alert description
- Recommended actions
- The potential scope of breach
- The incident graph
- The indicators that triggered the alert
![A detailed view of an alert when clicked](images/alert-details.png)
Alerts attributed to an adversary or actor display a colored tile with the actor name.
Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take.
Some actor profiles include a link to download a more comprehensive threat intelligence report.
![A detailed view of an alert when clicked](images/alert-details.png)
## Incident graph
The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines.
You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert.
## Alert spotlight
The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation.
You can click on the machine link from the alert view to see the alerts related to the machine.
> [!NOTE]
> This shortcut is not available from the Incident graph machine links.
Alerts related to the machine are displayed under the **Alerts related to this machine** section.
Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine.
You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**.
You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**.
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)

7
windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
You can see information from the following sections in the URL view:

21
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
You can get information from the following sections in the file view:
@ -62,11 +63,13 @@ Use the deep analysis feature to investigate the details of any file, usually du
In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis.
> **Note**&nbsp;&nbsp;Only files from Windows 10 can be automatically collected.
> [!NOTE]
> Only files from Windows 10 can be automatically collected.
You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available.
> **Note**&nbsp;&nbsp;Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
> [!NOTE]
> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP.
When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications.
@ -84,7 +87,8 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> **Note**&nbsp;&nbsp;Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
> [!NOTE]
> Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file.
## View deep analysis report
@ -121,10 +125,11 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
> [!NOTE]
> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
### Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)

11
windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md
View File

@ -13,12 +13,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Examine possible communication between your machines and external internet protocol (IP) addresses.
Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines.
@ -43,7 +43,8 @@ The **Communication with IP in organization** section provides a chronological v
Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address.
> **Note**&nbsp;&nbsp;Search results will only be returned for IP addresses observed in communication with machines in the organization.
> [!NOTE]
> Search results will only be returned for IP addresses observed in communication with machines in the organization.
Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.

17
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network.
Use the Machines view in these two main scenarios:
@ -37,7 +38,8 @@ The Machines view contains the following columns:
- **Active Alerts** - the number of alerts reported by the machine by severity
- **Active malware detections** - the number of active malware detections reported by the machine
> **Note**&nbsp;&nbsp;The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> [!NOTE]
> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
Click any column header to sort the view in ascending or descending order.
@ -55,7 +57,8 @@ You can filter the view by the following time periods:
- 30 days
- 6 months
> **Note**&nbsp;&nbsp;When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
> [!NOTE]
> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period.
The threat category filter lets you filter the view by the following categories:
@ -65,7 +68,7 @@ The threat category filter lets you filter the view by the following categories:
- Threat
- Low severity
See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file.
@ -100,6 +103,8 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png)
Use the search bar to look for specific alerts or files associated with the machine.

17
windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -14,14 +14,15 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts).
Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts.
@ -55,7 +56,7 @@ You can resolve an alert by changing the status of the alert to **Resolved**. Th
![You can resolve an alert as valid, valid - allowed, or false alarm](images/resolve-alert.png)
The comments and change of status are recorded in the [Comments and history window](#view-history-and-comments).
The comments and change of status are recorded in the Comments and history window.
![The comments window will display a history of status changes](images/comments.png)
@ -86,7 +87,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert.
2. Choose the context for suppressing the alert.
> **Note**&nbsp;&nbsp;You cannot create a custom or blank suppression rule. You must start from an existing alert.
> [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert.
**See the list of suppression rules:**
@ -95,7 +97,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you
![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png)
> **Note**&nbsp;&nbsp;You can also click **See rules** in the confirmation window that appears when you suppress an alert.
> [!NOTE]
> You can also click **See rules** in the confirmation window that appears when you suppress an alert.
The list of suppression rules shows all the rules that users in your organization have created.
Each rule shows:

91
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -14,33 +14,102 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
There are some minimum requirements for onboarding your network and endpoints.
## Minimum requirements
### Network and data storage and configuration requirements
<!---Your organization must use Azure Active Directory (AAD) to manage users. AAD is used during service onboarding to manage user-based access to the [Windows Defender ATP portal](https://securitycenter.windows.com/).--->
<!--If youd like help with using AAD to set up user access, contact the [Windows Defender ATP Yammer group](https://www.yammer.com/wsscengineering/\#/threads/inGroup?type=in\_group&feedId=7108776&view=all) or email [winatp@microsoft.com](mailto:winatp@microsoft.com).-->
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter.
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.
> **Notes**&nbsp;&nbsp;
- You cannot change your data storage location after the first-time setup.
- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
### Endpoint hardware and software requirements
Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later.
The Windows Defender ATP agent only supports the following editions of Windows 10:
> **Note**&nbsp;&nbsp;Endpoints that are running Windows Server and mobile versions of Windows are not supported.
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) for additional proxy configuration settings.
Endpoints on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions.
> [!NOTE]
> Endpoints that are running Windows Server and mobile versions of Windows are not supported.
#### Internet connectivity
Internet connectivity on endpoints is required.
SENSE can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data.
> [!NOTE]
> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
### Telemetry and diagnostics settings
You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them.
**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**:
1. Open an elevated command-line prompt on the endpoint:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```
## Windows Defender signature updates are configured
The Windows Defender ATP agent depends on Windows Defenders ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled).

8
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -14,13 +14,15 @@ author: iaanw
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You need to onboard to Windows Defender ATP before you can use the service.
## In this section
Topic | Description
:---|:---

17
windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -14,12 +14,12 @@ author: DulceMV
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
@ -37,19 +37,20 @@ When you open the portal, youll see the main areas of the application:
![Windows Defender Advanced Threat Protection portal](images/portal-image.png)
> **Note**&nbsp;&nbsp;Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
Area | Description
:---|:---
(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information.
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**.
(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**.
**Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization.
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Preferences setup**| Shows the settings you selected <!--during [service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md),-->and lets you update your industry preferences and retention policy period.
**Endpoint Management**| Allows you to download the onboarding configuration package.
**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period.
**Enpoint Management**| Allows you to download the onboarding configuration package.
(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view.
(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type.

5
windows/keep-secure/prepare-people-to-use-microsoft-passport.md
View File

@ -83,10 +83,15 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows
**Sign in to PC using the phone**
<<<<<<< HEAD
1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
![select a device](images/phone-signin-device-select.png)
=======
1. Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
>>>>>>> parent of 9891b67... from master
 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.

4
windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
View File

@ -216,7 +216,7 @@ The following Windows 10 services are protected with virtualization-based secur
- **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
- **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
- **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
- **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
>**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
 
@ -747,7 +747,7 @@ For more information about conditional access, see [Azure Conditional Access Pre
For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
- For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
![figure 13](images/hva-fig12-conditionalaccess12.png)

2
windows/keep-secure/requirements-to-use-applocker.md
View File

@ -32,7 +32,7 @@ The following table show the on which operating systems AppLocker features are s
| Version | Can be configured | Can be enforced | Available rules | Notes |
| - | - | - | - | - |
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. |
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. |
| Windows Server 2012 R2| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
| Windows 8.1| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| Only the Enterprise edition supports AppLocker|
| Windows RT 8.1| No| No| N/A||

2
windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
View File

@ -50,5 +50,5 @@ Command | Description
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
<br>
The command-line utility provides detailed information on the other commands supported by the tool.

9
windows/keep-secure/settings-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: DulceMV
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information.
## Time zone settings
@ -52,7 +53,7 @@ To set the time zone:
3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
## Suppression rules
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
## License
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.

4
windows/keep-secure/tpm-recommendations.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
- Windows Server 2016
- Windows 10 IoT Core (IoT Core)
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@ -104,7 +104,7 @@ For end consumers, TPM is behind the scenes but still very relevant for Hello, P
- TPM is optional on IoT Core.
### Windows Server 2016 Technical Preview
### Windows Server 2016
- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.

488
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -7,58 +7,48 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: iaanw
author: mjcaparas
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues.
This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. <!--and steps for resolving problems with Azure Active Directory (AAD).-->
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
## Endpoints are not reporting to the service correctly
## Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
Go through the following verification topics to address this issue:
If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully)
- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled)
- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection)
## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding endpoints using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch) version 1511
- System Center Configuration Manager (current branch) version 1602
### Ensure the endpoint is onboarded successfully
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint.
Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console.
**Check the onboarding state in Registry**:
If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
1. Click **Start**, type **Run**, and press **Enter**.
If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
2. From the **Run** dialog box, type **regedit** and press **Enter**.
4. In the **Registry Editor** navigate to the Status key under:
```text
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection
```
5. Check the **OnboardingState** value is set to **1**.
![Image of OnboardingState status in Registry Editor](images/onboardingstate.png)
If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint.
If you configured your endpoints with a deployment tool that required a script, you can check the event viewer for the onboarding script results.
<br>
**Check the result of the script**:
## Troubleshoot onboarding when deploying with a script on the endpoint
**Check the result of the script on the endpoint**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@ -66,25 +56,82 @@ If you configured your endpoints with a deployment tool that required a script,
3. Look for an event from **WDATPOnboarding** event source.
If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
> **Note**&nbsp;&nbsp;The following event IDs are specific to the onboarding script only.
> [!NOTE]
> The following event IDs are specific to the onboarding script only.
Event ID | Error Type | Resolution steps
:---|:---|:---
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
65 | Insufficient privileges| Run the script again with administrator privileges.
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
Use the following tables to understand the possible causes of issues while onboarding:
- Microsoft Intune error codes and OMA-URIs table
- Known issues with non-compliance table
- Mobile Device Management (MDM) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt.
**Microsoft Intune error codes and OMA-URIs**:
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. <br> <br> If it doesn't exist, open an elevated command and add the key.
| | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional.
<br>
**Use Event Viewer to identify and adress onboarding errors**:
**Known issues with non-compliance**
The following table provides information on issues with non-compliance and how you can address the issues.
Case | Symptoms | Possible cause and troubleshooting steps
:---|:---|:---
1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
<br>
**Mobile Device Management (MDM) event logs**
View the MDM event logs to troubleshoot issues that might arise during onboarding:
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
Channel name: Admin
ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions.
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled)
### View agent onboarding errors in the endpoint event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
> **Note**&nbsp;&nbsp;SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
> [!NOTE]
> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Select **Operational** to load the log.
@ -98,101 +145,16 @@ Event ID | Error Type | Resolution steps
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
### Ensure the Windows Defender ATP service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint.
You can use the SC command line program for checking and managing the startup type and running state of the service.
**Check the Windows Defender ATP service startup type from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc sense
```
If the the service is running, then the result should look like the following screenshot:
![Result of the sq query sense command](images/sc-query-sense-autostart.png)
If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
**Change the Windows Defender ATP service startup type from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config sense start=auto
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
```text
sc qc sense
```
**Check the Windows Defender ATP service is running from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc query sense
```
If the service is running, the result should look like the following screenshot:
![Result of the sc query sense command](images/sc-query-sense-running.png)
If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
**Start the Windows Defender ATP service from the command line:**
1. Open an elevated command-line prompt on the endpoint:
a. Click **Start**, type **cmd**, and press **Enter**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc start sense
```
3. A success message is displayed. Verify the change by entering the following command and press **Enter**:
```text
sc qc sense
```
<br>
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
### Ensure the telemetry and diagnostics service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes.
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
@ -212,12 +174,11 @@ First, you should check that the service is set to start automatically when Wind
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start.
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:**
@ -240,109 +201,13 @@ If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set
sc qc diagtrack
```
**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**:
4. Start the service.
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Check the **Startup type** column - the service should be set as **Automatic**.
If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does.
**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:**
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Right-click on the entry and click **Properties**.
4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK.
![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png)
### Ensure the service is running
**Use the command line to check the Windows 10 telemetry and diagnostics service is running**:
1. Open an elevated command-line prompt on the endpoint:
a. **Click **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc query diagtrack
```
If the service is running, the result should look like the following screenshot:
![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png)
If the service **STATE** is not set to **RUNNING**, then you'll need to start it.
**Use the command line to start the Windows 10 telemetry and diagnostics service:**
1. Open an elevated command-line prompt on the endpoint:
a. **Click **Start** and type **cmd**.**
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc start diagtrack
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc query diagtrack
```
**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**:
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Check the **Status** column - the service should be marked as **Running**.
If the service is not running, you'll need to start it.
**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:**
1. Open the services console:
a. Click **Start** and type **services**.
b. Press **Enter** to open the console.
2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**.
3. Right-click on the entry and click **Start**, as shown in the following image.
![Select Start to start the service](images/windef-utc-console-start.png)
a. In the command prompt, type the following command and press **Enter**:
```text
sc start diagtrack
```
### Ensure the endpoint has an Internet connection
@ -352,90 +217,103 @@ WinHTTP is independent of the Internet browsing proxy settings and other user co
To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic.
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
### Ensure the Windows Defender ELAM driver is enabled
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled.
Use the following tables to understand the possible causes of issues while onboarding:
**Check the ELAM driver status:**
- Microsoft Intune error codes and OMA-URIs table
- Known issues with non-compliance table
- Mobile Device Management (MDM) event logs table
1. Open a command-line prompt on the endpoint:
If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt.
a. Click **Start**, type **cmd**, and select **Command prompt**.
**Microsoft Intune error codes and OMA-URIs**:
2. Enter the following command, and press Enter:
```
sc qc WdBoot
```
If the ELAM driver is enabled, the output will be:
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. <br> <br> If it doesn't exist, open an elevated command and add the key.
| | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional.
```
[SC] QueryServiceConfig SUCCESS
<br>
**Known issues with non-compliance**
SERVICE_NAME: WdBoot
TYPE : 1 KERNEL_DRIVER
START_TYPE : 0 BOOT_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys
LOAD_ORDER_GROUP : Early-Launch
TAG : 0
DISPLAY_NAME : Windows Defender Boot Driver
DEPENDENCIES :
SERVICE_START_NAME :
```
If the ELAM driver is disabled the output will be:
```
[SC] QueryServiceConfig SUCCESS
The following table provides information on issues with non-compliance and how you can address the issues.
SERVICE_NAME: WdBoot
TYPE : 1 KERNEL_DRIVER
START_TYPE : 0 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys
LOAD_ORDER_GROUP : _Early-Launch
TAG : 0
DISPLAY_NAME : Windows Defender Boot Driver
DEPENDENCIES :
SERVICE_START_NAME :
```
Case | Symptoms | Possible cause and troubleshooting steps
:---|:---|:---
1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
#### Enable the ELAM driver
<br>
**Mobile Device Management (MDM) event logs**
1. Open an elevated PowerShell console on the endpoint:
View the MDM event logs to troubleshoot issues that might arise during onboarding:
a. Click **Start**, type **powershell**.
Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
b. Right-click **Command prompt** and select **Run as administrator**.
Channel name: Admin
2. Run the following PowerShell cmdlet:
ID | Severity | Event description | Description
:---|:---|:---|:---
1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value. <br> TokenName: Contains node name that caused the error. <br> Result: Error details.
1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has completed to get specific node's value. <br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name that caused the error <br><br> Result: Error details.
1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value. <br><br> TokenName: Contains node name <br><br> Result: Error details or succeeded.
```text
'Set-ExecutionPolicy -ExecutionPolicy Bypass
```
3. Run the following PowerShell script:
```text
Add-Type @'
using System;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;
using System.ComponentModel;
public static class Elam{
[DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)]
public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);
public static void InstallWdBoot(string path)
{
Console.Out.WriteLine("About to call create file on {0}", path);
var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read);
var handle = stream.SafeFileHandle;
Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle());
if (!InstallELAMCertificateInfo(handle))
{
Console.Out.WriteLine("Call failed.");
throw new Win32Exception(Marshal.GetLastWin32Error());
}
Console.Out.WriteLine("Call successful.");
}
}
'@
$driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys"
[Elam]::InstallWdBoot($driverPath)
```
<!--
## There are no users in the Azure Active Directory
If you don't see any users in the [Azure Management Portal](https://manage.windowsazure.com/) during the service onboarding stage, you might need to add users to the directory first.
1. Go to the Azure Management Portal and select the directory you want to manage.
2. Click **Users** from the top menu bar.
![Example Azure Management Portal organization](images/contoso-users.png)
3. Click **Add user** from the menu bar at the bottom.
![Add user menu](images/add-user.png)
4. Select the type of user and enter their details. There might be multiple steps in the **Add user** dialog box depending on the type of user. When you're done, click **Complete** ![Check icon](images/check-icon.png) or **OK**.
5. Continue to add users. They will now appear in the **Users** section of the **Windows ATP Service** application. You must assign the user a role before they can access the [Windows Defender ATP portal](https://securitycenter.windows.com/).
## The Windows Defender ATP app doesn't appear in the Azure Management Portal
If you remove access for all users to the Windows ATP Service application (by clicking Manage access), you will not see the application in the list of applications in your directory in the [Azure Management Portal](https://manage.windowsazure.com/).
Log in to the application in the Azure Management Portal again:
1. Sign in to the [Windows Defender ATP portal](https://securitycenter.windows.com/) with the user account you want to give access to.
2. Confirm that you have signed in with the correct details, and click **Accept**.
3. Go to the [Azure Management Portal](https://manage.windowsazure.com/) and navigate to your directory. You will see the **Windows ATP Service** application in the **Applications** section again.
-->
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)

20
windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -13,11 +13,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
### Server error - Access is denied due to invalid credentials
@ -39,9 +40,11 @@ U.S. region:
- sevillefeedback-prd.trafficmanager.net
- sevillesettings-prd.trafficmanager.net
- threatintel-cus-prd.cloudapp.net
- threatintel-eus-prd.cloudapp.net
- threatintel-eus-prd.cloudapp.net
- winatpauthorization.windows.com
- winatpfeedback.windows.com
- winatpmanagement.windows.com
- winatponboarding.windows.com
EU region:
@ -52,7 +55,10 @@ EU region:
- sevillesettings-prd.trafficmanager.net
- threatintel-neu-prd.cloudapp.net
- threatintel-weu-prd.cloudapp.net
- winatpauthorization.windows.com
- winatpfeedback.windows.com
- winatpmanagement.windows.com
- winatponboarding.windows.com
### Windows Defender ATP service shows event or error logs in the Event Viewer

9
windows/keep-secure/use-windows-defender-advanced-threat-protection.md
View File

@ -14,11 +14,12 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
A typical security breach investigation requires a member of a security operations team to:
1. View an alert on the **Dashboard** or **Alerts queue**
@ -41,6 +42,6 @@ Topic | Description
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.

15
windows/keep-secure/windows-defender-advanced-threat-protection.md
View File

@ -14,12 +14,13 @@ author: mjcaparas
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows 10 Enterprise
- Windows 10 Enterprise for Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
@ -63,7 +64,7 @@ detect sophisticated cyber-attacks, providing:
- Behavior-based, cloud-powered, advanced attack detection
Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
- Rich timeline for forensic investigation and mitigation
@ -78,10 +79,12 @@ detect sophisticated cyber-attacks, providing:
Topic | Description
:---|:---
[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels.
[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored.
[Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory.
[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints.
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks.
[Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise.
[Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements.
[Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP.
[Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required.
[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP.

10
windows/keep-secure/windows-defender-block-at-first-sight.md
View File

@ -21,7 +21,7 @@ Block at First Sight is a feature of Windows Defender cloud protection that prov
You can enable Block at First Sight with Group Policy or individually on endpoints.
## Backend procesing and near-instant determinations
## Backend processing and near-instant determinations
When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
@ -86,16 +86,16 @@ Block at First Sight requires a number of Group Policy settings to be configured
5. Expand the tree through **Windows components > Windows Defender > MAPS**.
1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Enabled**.
1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Enabled**.
> [!NOTE]
> The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
### Manually enable Block at First Sight on Individual clients
### Manually enable Block at First Sight on individual clients
To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Enable Block at First Sight on invididual clients**
**Enable Block at First Sight on individual clients**
1. Open Windows Defender settings:
@ -110,4 +110,4 @@ To configure un-managed clients that are running Windows 10, Block at First Sigh
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

154
windows/keep-secure/windows-defender-in-windows-10.md
View File

@ -1,76 +1,78 @@
---
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: jasesso
---
# Windows Defender in Windows 10
**Applies to**
- Windows 10
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and report management
When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
### Compatibility with Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans wont run, and Windows Defender will not provide real-time protection from malware.
You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
 
### Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
### New and changed functionality
- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
## In this section
Topic | Description
:---|:---
[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.
---
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: jasesso
---
# Windows Defender in Windows 10
**Applies to**
- Windows 10
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and report management
When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
### Compatibility with Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans wont run, and Windows Defender will not provide real-time protection from malware.
You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
 
### Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
### New and changed functionality
- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
## In this section
Topic | Description
:---|:---
[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan.
[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.

360
windows/keep-secure/windows-defender-offline.md
View File

@ -1,181 +1,181 @@
---
title: Windows Defender Offline in Windows 10
description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Windows Defender Offline in Windows 10
**Applies to:**
- Windows 10, version 1607
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
> [!NOTE]
> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
## Windows Defender Offline updates
Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
> [!NOTE]
> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
## Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png)
The user will also be notified within the Windows Defender client:
![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
## Manage notifications
<a name="manage-notifications"></a>
You can suppress Windows Defender Offline notifications with Group Policy.
> [!NOTE]
> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
**Use Group Policy to suppress Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
## Configure Windows Defender Offline settings
You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
> [!NOTE]
> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
You can set up a Windows Defender Offline scan with the following:
- Windows Update and Security settings
- Windows Defender
- Windows Management Instrumentation
- Windows PowerShell
- Group Policy
> [!NOTE]
> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Settings:**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
1. Click **Scan offline**.
![Windows Defender Offline setting](images/defender/settings-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Defender:**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. On the **Home** tab click **Download and Run**.
![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
```
For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
**Run Windows Defender Offline using PowerShell:**
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
## Review scan results
Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. Go to the **History** tab.
1. Select **All detected items**.
1. Click **View details**.
Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
## Related topics
---
title: Windows Defender Offline in Windows 10
description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Windows Defender Offline in Windows 10
**Applies to:**
- Windows 10, version 1607
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
> [!NOTE]
> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
## Windows Defender Offline updates
Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
> [!NOTE]
> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
## Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png)
The user will also be notified within the Windows Defender client:
![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
## Manage notifications
<a name="manage-notifications"></a>
You can suppress Windows Defender Offline notifications with Group Policy.
> [!NOTE]
> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
**Use Group Policy to suppress Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
## Configure Windows Defender Offline settings
You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
> [!NOTE]
> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
You can set up a Windows Defender Offline scan with the following:
- Windows Update and Security settings
- Windows Defender
- Windows Management Instrumentation
- Windows PowerShell
- Group Policy
> [!NOTE]
> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Settings:**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
1. Click **Scan offline**.
![Windows Defender Offline setting](images/defender/settings-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Defender:**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. On the **Home** tab click **Download and Run**.
![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
```
For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
**Run Windows Defender Offline using PowerShell:**
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
## Review scan results
Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. Go to the **History** tab.
1. Select **All detected items**.
1. Click **View details**.
Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

125
windows/manage/TOC.md
View File

@ -36,6 +36,131 @@
## [Configure devices without MDM](configure-devices-without-mdm.md)
## [Windows 10 servicing options](introduction-to-windows-10-servicing.md)
## [Application development for Windows as a service](application-development-for-windows-as-a-service.md)
## [Application Virtualization (App-V) for Windows](appv-for-windows.md)
### [Getting Started with App-V](appv-getting-started.md)
#### [About App-V](appv-about-appv.md)
##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
#### [Evaluating App-V](appv-evaluating-appv.md)
#### [High Level Architecture for App-V](appv-high-level-architecture.md)
#### [Accessibility for App-V](appv-accessibility.md)
### [Planning for App-V](appv-planning-for-appv.md)
#### [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
##### [App-V Prerequisites](appv-prerequisites.md)
##### [App-V Security Considerations](appv-security-considerations.md)
#### [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
##### [App-V Supported Configurations](appv-supported-configurations.md)
##### [App-V Capacity Planning](appv-capacity-planning.md)
##### [Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
##### [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
##### [Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md)
##### [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md)
##### [Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)
##### [Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md)
##### [Planning to Use Folder Redirection with App-V](appv-planning-folder-redirection-with-appv.md)
#### [App-V Planning Checklist](appv-planning-checklist.md)
### [Deploying App-V](appv-deploying-appv.md)
#### [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
##### [About Client Configuration Settings](appv-client-configuration-settings.md)
##### [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
##### [How to Install the App-V Client for Shared Content Store Mode](appv-install-the-appv-client-for-shared-content-store-mode.md)
##### [How to Install the Sequencer](appv-install-the-sequencer.md)
##### [How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md)
#### [Deploying the App-V Server](appv-deploying-the-appv-server.md)
##### [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)
##### [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)
##### [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md)
##### [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
##### [How to install the Management Server on a Standalone Computer and Connect it to the Database ](appv-install-the-management-server-on-a-standalone-computer.md)
##### [About App-V Reporting](appv-reporting.md)
##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](appv-install-the-reporting-server-on-a-standalone-computer.md)
#### [App-V Deployment Checklist](appv-deployment-checklist.md)
#### [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
#### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
### [Operations for App-V](appv-operations.md)
#### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
##### [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
#### [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
##### [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
##### [How to Connect to the Management Console ](appv-connect-to-the-management-console.md)
##### [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md)
##### [How to Configure Access to Packages by Using the Management Console ](appv-configure-access-to-packages-with-the-management-console.md)
##### [How to Publish a Package by Using the Management Console ](appv-publish-a-packages-with-the-management-console.md)
##### [How to Delete a Package in the Management Console ](appv-delete-a-package-with-the-management-console.md)
##### [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md)
##### [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
##### [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md)
##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md)
##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console ](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
#### [Managing Connection Groups](appv-managing-connection-groups.md)
##### [About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)
##### [About the Connection Group File](appv-connection-group-file.md)
##### [How to Create a Connection Group](appv-create-a-connection-group.md)
##### [How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
##### [How to Delete a Connection Group](appv-delete-a-connection-group.md)
##### [How to Publish a Connection Group](appv-publish-a-connection-group.md)
##### [How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)
##### [How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)
#### [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
#### [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
##### [How to Access the Client Management Console](appv-accessing-the-client-management-console.md)
##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server ](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
#### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md)
#### [Maintaining App-V](appv-maintaining-appv.md)
##### [How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md)
#### [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
##### [How to Load the PowerShell Cmdlets and Get Cmdlet Help ](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)
##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)
##### [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
##### [How to Modify Client Configuration by Using PowerShell](appv-modify-client-configuration-with-powershell.md)
##### [How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
##### [How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
##### [How to Sequence a Package by Using PowerShell ](appv-sequence-a-package-with-powershell.md)
##### [How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md)
##### [How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)
##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
### [Troubleshooting App-V](appv-troubleshooting.md)
### [Technical Reference for App-V](appv-technical-reference.md)
#### [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
#### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
#### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## [User Experience Virtualization (UE-V) for Windows](uev-for-windows.md)
### [Get Started with UE-V](uev-getting-started.md)
#### [What's New in UE-V for Windows 10, version 1607](uev-whats-new-in-uev-for-windows.md)
#### [User Experience Virtualization Release Notes](uev-release-notes-1607.md)
#### [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
### [Prepare a UE-V Deployment](uev-prepare-for-deployment.md)
#### [Deploy Required UE-V Features](uev-deploy-required-features.md)
#### [Deploy UE-V for use with Custom Applications](uev-deploy-uev-for-custom-applications.md)
### [Administering UE-V](uev-administering-uev.md)
#### [Manage Configurations for UE-V](uev-manage-configurations.md)
##### [Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
##### [Configuring UE-V with System Center Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
##### [Administering UE-V with Windows PowerShell and WMI](uev-administering-uev-with-windows-powershell-and-wmi.md)
###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
#### [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md)
#### [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md)
#### [Changing the Frequency of UE-V Scheduled Tasks](uev-changing-the-frequency-of-scheduled-tasks.md)
#### [Migrating UE-V Settings Packages](uev-migrating-settings-packages.md)
#### [Using UE-V with Application Virtualization Applications](uev-using-uev-with-application-virtualization-applications.md)
### [Troubleshooting UE-V](uev-troubleshooting.md)
### [Technical Reference for UE-V](uev-technical-reference.md)
#### [Sync Methods for UE-V](uev-sync-methods.md)
#### [Sync Trigger Events for UE-V](uev-sync-trigger-events.md)
#### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md)
#### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md)
#### [Accessibility for UE-V](uev-accessibility.md)
#### [Security Considerations for UE-V](uev-security-considerations.md)
## [Windows Store for Business](windows-store-for-business.md)
### [Sign up and get started](sign-up-windows-store-for-business-overview.md)
####[Windows Store for Business overview](windows-store-for-business-overview.md)

473
windows/manage/appv-about-appv.md Normal file
View File

@ -0,0 +1,473 @@
---
title: About App-V (Windows 10)
description: About App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# About App-V for Windows
Applies to: Windows 10, version 1607
Review the following sections for information about significant changes that apply to Application Virtualization (App-V) for Windows:
[App-V software prerequisites and supported configurations](#bkmk-51-prereq-configs)
[Migrating to App-V](#bkmk-migrate-to-51)
[Whats New in App-V](#bkmk-whatsnew)
[App-V support for Windows 10](#bkmk-win10support)
[App-V Management Console Changes](#bkmk-mgmtconsole)
[Sequencer Improvements](#bkmk-seqimprove)
[Improvements to Package Converter](#bkmk-pkgconvimprove)
[Support for multiple scripts on a single event trigger](#bkmk-supmultscripts)
[Hardcoded path to installation folder is redirected to virtual file system root](#bkmk-hardcodepath)
## <a href="" id="bkmk-51-prereq-configs"></a>App-V for Windows software prerequisites and supported configurations
See the following links for the App-V for Windows software prerequisites and supported configurations.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Links to prerequisites and supported configurations</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[App-V Prerequisites](appv-prerequisites.md)</p></td>
<td align="left"><p>Prerequisite software that you must install before you can get started with App-V for Windows</p></td>
</tr>
<tr class="even">
<td align="left"><p>[App-V Supported Configurations](appv-supported-configurations.md)</p></td>
<td align="left"><p>Supported operating systems and hardware requirements for the App-V Server, Sequencer, and Client components</p></td>
</tr>
</tbody>
</table>
 
**Support for using Configuration Manager with App-V:** App-V supports System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager.
## <a href="" id="bkmk-migrate-to-51"></a>Upgrade to App-V for Windows
Use the following information to upgrade to App-V for Windows from earlier versions. See [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) for more information.
### Before you start the upgrade
Review the following information before you start the upgrade:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Items to review before upgrading</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Components to upgrade, in any order</p></td>
<td align="left"><ol>
<li><p>App-V Server</p></li>
<li><p>Sequencer</p></li>
<li><p>App-V Client or App-V Remote Desktop Services (RDS) Client</p></li>
</ol>
<div class="alert">
<strong>Note</strong>  
<p>Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).</p>
</div>
<div>
 
</div></td>
</tr>
<tr class="even">
<td align="left"><p>Upgrading from App-V 4.x</p></td>
<td align="left"><p>You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V for Windows. For more information, see [Planning for Migrating from a Previous Version of App-V](appv-planning-for-migrating-from-a-previous-version-of-appv.md)</p></li>
</ul>
<p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Upgrading from App-V 5.0 or later</p></td>
<td align="left"><p>You can upgrade to App-V for Windows directly from any of the following versions:</p>
<ul>
<li><p>App-V 5.0</p></li>
<li><p>App-V 5.0 SP1</p></li>
<li><p>App-V 5.0 SP2</p></li>
<li><p>App-V 5.0 SP3</p></li>
</ul>
<p>To upgrade to App-V for Windows, follow the steps in the remaining sections of this topic.</p>
<p>Packages and connection groups will continue to work with App-V for Windows as they currently do.</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="bkmk-steps-upgrd-infrastruc"></a>Steps to upgrade the App-V infrastructure
Complete the following steps to upgrade each component of the App-V infrastructure to App-V for Windows. The following order is only a suggestion; you can upgrade components in any order.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Step</th>
<th align="left">For more information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Step 1: Upgrade the App-V Server.</p>
<div class="alert">
<strong>Note</strong>  
<p>If you are not using the App-V Server, skip this step and go to the next step.</p>
</div>
<div>
 
</div></td>
<td align="left"><p>Follow these steps:</p>
<ol>
<li><p>Do one of the following, depending on the method you are using to upgrade the management database and/or reporting database:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Database upgrade method</th>
<th align="left">Step</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows Installer</p></td>
<td align="left"><p>Skip this step and go to step 2, “If you are upgrading the App-V Server...”</p></td>
</tr>
<tr class="even">
<td align="left"><p>SQL scripts</p></td>
<td align="left"><p>Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts).</p></td>
</tr>
</tbody>
</table>
<li><p>If you are upgrading the App-V for Windows Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/check-reg-key-svr).</p></li>
<li><p>Follow the steps in [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)</p></li>
<p> </p></li>
</ol></td>
</tr>
<tr class="even">
<td align="left"><p>Step 2: Install the new App-V for Windows sequencer.</p></td>
<td align="left"><p>See [How to Install the Sequencer](appv-install-the-sequencer.md).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Step 3: Enable the in-box App-V Client.</p></td>
<td align="left"><p>See [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).</p></td>
</tr>
</tbody>
</table>
 
### Converting packages created using a prior version of App-V
Use the package converter utility to upgrade virtual application packages created using versions of App-V prior to App-V 5.0. The package converter uses PowerShell to convert packages and can help automate the process if you have many packages that require conversion.
>**Note**  
App-V for Windows packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V for Windows packages.
 
## <a href="" id="bkmk-whatsnew"></a>Whats New in App-V
These sections are for users who are already familiar with App-V and want to know what has changed in App-V for Windows. If you are not already familiar with App-V, you should start by reading [Planning for App-V](appv-planning-for-appv.md).
### <a href="" id="bkmk-mgmtconsole"></a>App-V Management Console Changes
This section compares the App-V for Windows Management Consoles current and previous functionality.
### Silverlight is no longer required
The Management Console UI no longer requires Silverlight. The Management Console is built on HTML5 and Javascript.
### Notifications and messages are displayed individually in a dialog box
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows</th>
<th align="left">Prior to App-V</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Number of messages indicator:</strong></p>
<p>On the title bar of the App-V Management Console, a number is now displayed next to a flag icon to indicate the number of messages that are waiting to be read.</p></td>
<td align="left"><p>You could see only one message or error at a time, and you were unable to determine how many messages there were.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Message appearance:</strong></p>
<ul>
<li><p>Messages that require user input appear in a separate dialog box that displays on top of the current page that you were viewing, and require a response before you can dismiss them.</p></li>
<li><p>Messages and errors appear in a list, with one beneath the other.</p></li>
</ul></td>
<td align="left"><p>You could see only one message or error at a time.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Dismissing messages:</strong></p>
<p>Use the <strong>Dismiss All</strong> link to dismiss all messages and errors at one time, or dismiss them one at a time.</p></td>
<td align="left"><p>You could dismiss messages and errors only one at a time.</p></td>
</tr>
</tbody>
</table>
 
### Console pages are now separate URLs
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows</th>
<th align="left">Prior to App-V for Windows</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Each page in the console has a different URL, which enables you to bookmark specific pages for quick access in the future.</p>
<p>The number that appears in some URLs indicates the specific package. These numbers are unique.</p></td>
<td align="left"><p>All console pages are accessed through the same URL.</p></td>
</tr>
</tbody>
</table>
 
### New, separate CONNECTION GROUPS page and menu option
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows</th>
<th align="left">Prior to App-V for Windows</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>The CONNECTION GROUPS page is now part of the main menu, at the same level as the PACKAGES page.</p></td>
<td align="left"><p>To open the CONNECTION GROUPS page, you navigate through the PACKAGES page.</p></td>
</tr>
</tbody>
</table>
 
### Menu options for packages have changed
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows</th>
<th align="left">Prior to App-V Windows</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>The following options are now buttons that appear at the bottom of the PACKAGES page:</p>
<ul>
<li><p>Add or Upgrade</p></li>
<li><p>Publish</p></li>
<li><p>Unpublish</p></li>
<li><p>Delete</p></li>
</ul>
<p>The following options will still appear when you right-click a package to open the drop-down context menu:</p>
<ul>
<li><p>Publish</p></li>
<li><p>Unpublish</p></li>
<li><p>Edit AD Access</p></li>
<li><p>Edit Deployment Config</p></li>
<li><p>Transfer deployment configuration from…</p></li>
<li><p>Transfer access and configuration from…</p></li>
<li><p>Delete</p></li>
</ul>
<p>When you click <strong>Delete</strong> to remove a package, a dialog box opens and asks you to confirm that you want to delete the package.</p></td>
<td align="left"><p>The <strong>Add or Upgrade</strong> option was a button at the top right of the PACKAGES page.</p>
<p>The <strong>Publish</strong>, <strong>Unpublish</strong>, and <strong>Delete</strong> options were available only if you right-clicked a package name in the packages list.</p></td>
</tr>
<tr class="even">
<td align="left"><p>The following package operations are now buttons on the package details page for each package:</p>
<ul>
<li><p>Transfer (drop-down menu with the following options):</p>
<ul>
<li><p>Transfer deployment configuration from…</p></li>
<li><p>Transfer access and configuration from…</p></li>
</ul></li>
<li><p>Edit (connection groups and AD Access)</p></li>
<li><p>Unpublish</p></li>
<li><p>Delete</p></li>
<li><p>Edit Default Configuration</p></li>
</ul></td>
<td align="left"><p>These package options were available only if you right-clicked a package name in the packages list.</p></td>
</tr>
</tbody>
</table>
 
### Icons in left pane have new colors and text
The colors of the icons in the left pane have been changed, and text added, to make the icons consistent with other Microsoft products.
### Overview page has been removed
In the left pane of the Management Console, the OVERVIEW menu option and its associated OVERVIEW page have been removed.
### <a href="" id="bkmk-seqimprove"></a>Sequencer Improvements
The following improvements have been made to the package editor in the App-V Sequencer.
### Import and export the manifest file
You can import and export the AppxManifest.xml file. To export the manifest file, select the **Advanced** tab and in the Manifest File box, click **Export...**. You can make changes to the manifest file, such as removing shell extensions or editing file type associations.
After you make your changes, click **Import...** and select the file you edited. After you successfully import it back in, the manifest file is immediately updated within the package editor.
**Caution**  
When you import the file, your changes are validated against the XML schema. If the file is not valid, you will receive an error. Be aware that it is possible to import a file that is validated against the XML schema, but that might still fail to run for other reasons.
 
### Addition of Windows 10 to operating systems list
In the Deployment tab, Windows 10 32-bit and Windows 10-64 bit have been added to the list of operating systems for which you can sequence a package. If you select **Any Operating System**, Windows 10 is automatically included among the operating systems that the sequenced package will support.
### Current path displays at bottom of virtual registry editor
In the Virtual Registry tab, the path now displays at the bottom of the virtual registry editor, which enables you to determine the currently selected key. Previously, you had to scroll through the registry tree to find the currently selected key.
### <a href="" id="combined--find-and-replace--dialog-box-and-shortcut-keys-added-in-virtual-registry-editor"></a>Combined “find and replace” dialog box and shortcut keys added in virtual registry editor
In the virtual registry editor, shortcut keys have been added for the Find option (Ctrl+F), and a dialog box that combines the “find” and “replace” tasks has been added to enable you to find and replace values and data. To access this combined dialog box, select a key and do one of the following:
- Press **Ctrl+H**
- Right-click a key and select **Replace**.
- Select **View** &gt; **Virtual Registry** &gt; **Replace**.
Previously, the “Replace” dialog box did not exist, and you had to make changes manually.
### Rename registry keys and package files successfully
You can rename virtual registry keys and files without experiencing Sequencer issues. Previously, the Sequencer stopped working if you tried to rename a key.
### Import and export virtual registry keys
You can import and export virtual registry keys. To import a key, right-click the node under which to import the key, navigate to the key you want to import, and then click **Import**. To export a key, right-click the key and select **Export**.
### Import a directory into the virtual file system
You can import a directory into the VFS. To import a directory, click the **Package Files** tab, and then click **View** &gt; **Virtual File System** &gt; **Import Directory**. If you try to import a directory that contains files that are already in the VFS, the import fails, and an explanatory message is displayed. Prior to App-V, you could not import directories.
### Import or export a VFS file without having to delete and then add it back to the package
You can import files to or export files from the VFS without having to delete the file and then add it back to the package. For example, you might use this feature to export a change log to a local drive, edit the file using an external editor, and then re-import the file into the VFS.
To export a file, select the **Package Files** tab, right-click the file in the VFS, click **Export**, and choose an export location from which you can make your edits.
To import a file, select the **Package Files** tab and right-click the file that you had exported. Browse to the file that you edited, and then click **Import**. The imported file will overwrite the existing file.
After you import a file, you must save the package by clicking **File** &gt; **Save**.
### Menu for adding a package file has moved
The menu option for adding a package file has been moved. To find the Add option, select the **Package Files** tab, then click **View** &gt; **Virtual File System** &gt; **Add File**. Previously, you right-clicked a folder under the VFS node, and chose **Add File**.
### Virtual registry node expands MACHINE and USER hives by default
When you open the virtual registry, the MACHINE and USER hives are shown below the top-level REGISTRY node. Previously, you had to expand the REGISTRY node to show the hives beneath.
### Enable or disable Browser Helper Objects
You can enable or disable Browser Helper Objects by selecting a new check box, Enable Browser Helper Objects, on the Advanced tab of the Sequencer user interface. If Browser Helper Objects:
- Exist in the package and are enabled, the check box is selected by default.
- Exist in the package and are disabled, the check box is clear by default.
- Exist in the package, with one or more enabled and one or more disabled, the check box is set to indeterminate by default.
- Do not exist in the package, the check box is disabled.
### <a href="" id="bkmk-pkgconvimprove"></a>Improvements to Package Converter
You can now use the package converter to convert App-V 4.6 packages that contain scripts, and registry information and scripts from source .osd files are now included in package converter output.
For more information including examples, see [Migrating to App-V for Windows from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md).
### <a href="" id="bkmk-supmultscripts"></a>Support for multiple scripts on a single event trigger
App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you are converting from App-V 4.6 to App-V 5.0 or later. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is installed as part of the App-V client installation.
For more information, including a list of event triggers and the context under which scripts can be run, see the Scripts section in [About App-V Dynamic Configuration](appv-dynamic-configuration.md).
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
 
 

169
windows/manage/appv-accessibility.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Accessibility for App-V (Windows 10)
description: Accessibility for App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Accessibility for App-V
Microsoft is committed to making its products and services easier for everyone to use. This section provides information about features and services that make this product and its corresponding documentation more accessible for people with disabilities.
## Keyboard Shortcuts for the App-V Management Server
Following are the keyboard Shortcuts for the App-V Management Server:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">To do this</th>
<th align="left">Press</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Close a dialog box.</p></td>
<td align="left"><p>Esc</p></td>
</tr>
<tr class="even">
<td align="left"><p>Perform the default action of a dialog box.</p></td>
<td align="left"><p>Enter</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Refresh the current page of the App-V client console.</p></td>
<td align="left"><p>F5</p></td>
</tr>
</tbody>
</table>
 
## Keyboard Shortcuts for the App-V Sequencer
Following are the keyboard shortcuts for the Virtual Registry tab in the package editor in the App-V Sequencer:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">To do this</th>
<th align="left">Press</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Open the Find dialog box.</p></td>
<td align="left"><p>CTRL + F</p></td>
</tr>
<tr class="even">
<td align="left"><p>Open the Replace dialog box.</p></td>
<td align="left"><p>CTRL + H</p></td>
</tr>
</tbody>
</table>
 
### Access Any Command with a Few Keystrokes
**Important**  
The information in this section only applies to the App-V sequencer. For specific information about the App-V server, see the Keyboard Shortcuts for the App-V Management Server section of this document.
 
Access keys let you quickly use a command by pressing a few keys. You can get to most commands by using two keystrokes. To use an access key:
1. Press ALT.
An underline appears beneath the keyboard shortcut for each feature that is available in the current view.
2. Press the letter underlined in the keyboard shortcut for the feature that you want to use.
**Note**  
To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
## Documentation in Alternative Formats
If you have difficulty reading or handling printed materials, you can obtain the documentation for many Microsoft products in more accessible formats. You can view an index of accessible product documentation on the Microsoft Accessibility website. In addition, you can obtain additional Microsoft publications from Learning Ally (formerly Recording for the Blind & Dyslexic, Inc.). Learning Ally distributes these documents to registered, eligible members of their distribution service.
For information about the availability of Microsoft product documentation and books from Microsoft Press, contact:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Learning Ally (formerly Recording for the Blind &amp; Dyslexic, Inc.)</strong></p>
<p>20 Roszel Road</p>
<p>Princeton, NJ 08540</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Telephone number from within the United States:</p></td>
<td align="left"><p>(800) 221-4792</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Telephone number from outside the United States and Canada:</p></td>
<td align="left"><p>(609) 452-0606</p></td>
</tr>
<tr class="even">
<td align="left"><p>Fax:</p></td>
<td align="left"><p>(609) 987-8116</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[http://www.learningally.org/](http://go.microsoft.com/fwlink/?linkid=239)</p></td>
<td align="left"><p>Web addresses can change, so you might be unable to connect to the website or sites mentioned here.</p></td>
</tr>
</tbody>
</table>
 
## Customer Service for People with Hearing Impairments
If you are deaf or hard-of-hearing, complete access to Microsoft product and customer services is available through a text telephone (TTY/TDD) service:
- For customer service, contact Microsoft Sales Information Center at (800) 892-5234 between 6:30 AM and 5:30 PM Pacific Time, Monday through Friday, excluding holidays.
- For technical assistance in the United States, contact Microsoft Product Support Services at (800) 892-5234 between 6:00 AM and 6:00 PM Pacific Time, Monday through Friday, excluding holidays. In Canada, dial (905) 568-9641 between 8:00 AM and 8:00 PM Eastern Time, Monday through Friday, excluding holidays.
Microsoft Support Services are subject to the prices, terms, and conditions in place at the time the service is used.
## For More Information
For more information about how accessible technology for computers helps to improve the lives of people with disabilities, see the [Microsoft Accessibility website](http://go.microsoft.com/fwlink/?linkid=8431).
## Related topics
[Getting Started with App-V](appv-getting-started.md)
 
 

26
windows/manage/appv-accessing-the-client-management-console.md Normal file
View File

@ -0,0 +1,26 @@
---
title: How to access the client management console (Windows 10)
description: How to access the client management console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to access the client management console
Use the App-V client management console to manage packages on the computer running the App-V client.
> [!NOTE]
To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client.
The client management console is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=41186).
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Operations for App-V](appv-operations.md)

45
windows/manage/appv-add-or-remove-an-administrator-with-the-management-console.md Normal file
View File

@ -0,0 +1,45 @@
---
title: How to Add or Remove an Administrator by Using the Management Console (Windows 10)
description: How to Add or Remove an Administrator by Using the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Add or Remove an Administrator by Using the Management Console
Use the following procedures to add or remove an administrator on the Microsoft Application Virtualization (App-V) server.
**To add an administrator using the Management Console**
1. Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of Access Directory (AD) users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server.
2. To add a new administrator, click **Add Administrator** Type the name of the administrator that you want to add in the **Active Directory Name** field. Ensure you provide the associated user account domain name. For example, **Domain** \\ **UserName**.
3. Select the account that you want to add and click **Add**. The new account is displayed in the list of server administrators.
**To remove an administrator using the Management Console**
1. Open the Microsoft Application Virtualization (App-V) Management Console and click **Administrators** in the navigation pane. The navigation pane displays a list of AD users and groups that currently have administrative access to the Microsoft Application Virtualization (App-V) server.
2. Right-click the account to be removed from the list of administrators and select **Remove**.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

54
windows/manage/appv-add-or-upgrade-packages-with-the-management-console.md Normal file
View File

@ -0,0 +1,54 @@
---
title: How to Add or Upgrade Packages by Using the Management Console (Windows 10)
description: How to Add or Upgrade Packages by Using the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Add or Upgrade Packages by Using the Management Console
You can the following procedure to add or upgrade a package to the App-V Management Console. To upgrade a package that already exists in the Management Console, use the following steps and import the upgraded package using the same package **Name**.
**To add a package to the Management Console**
1. Click the **Packages** tab in the navigation pane of the Management Console display.
The console displays the list of packages that have been added to the server along with status information about each package. When a package is selected, detailed information about the package is displayed in the **PACKAGES** pane.
Click the **Ungrouped** drop-down list box and specify how the packages are to be displayed in the console. You can also click the associated column header to sort the packages.
2. To specify the package you want to add, click **Add or Upgrade Packages**.
3. Type the full path to the package that you want to add. Use the UNC or HTTP path format, for example **\\\\servername\\sharename\\foldername\\packagename.appv** or **http://server.1234/file.appv**, and then click **Add**.
**Important**  
You must select a package with the **.appv** file name extension.
 
4. The page displays the status message **Adding &lt;Packagename&gt;**. Click **IMPORT STATUS** to check the status of a package that you have imported.
Click **OK** to add the package and close the **Add Package** page. If there was an error during the import, click **Detail** on the **Package Import** page for more information. The newly added package is now available in the **PACKAGES** pane.
5. Click **Close** to close the **Add or Upgrade Packages** page.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

138
windows/manage/appv-administering-appv-with-powershell.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Administering App-V by Using PowerShell (Windows 10)
description: Administering App-V by Using PowerShell
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Administering App-V by Using PowerShell
Microsoft Application Virtualization (App-V) provides Windows PowerShell cmdlets, which can help administrators perform various App-V tasks. The following sections provide more information about using PowerShell with App-V.
## How to administer App-V by using PowerShell
Use the following PowerShell procedures to perform various App-V tasks.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Name</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[How to Load the PowerShell Cmdlets and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)</p></td>
<td align="left"><p>Describes how to install the PowerShell cmdlets and find cmdlet help and examples.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)</p></td>
<td align="left"><p>Describes how to manage the client package lifecycle on a stand-alone computer using PowerShell.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)</p></td>
<td align="left"><p>Describes how to manage connection groups using PowerShell.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How to Modify Client Configuration by Using PowerShell](appv-modify-client-configuration-with-powershell.md)</p></td>
<td align="left"><p>Describes how to modify the client using PowerShell.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[How to Apply the User Configuration File by Using PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)</p></td>
<td align="left"><p>Describes how to apply a user configuration file using PowerShell.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How to Apply the Deployment Configuration File by Using PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)</p></td>
<td align="left"><p>Describes how to apply a deployment configuration file using PowerShell.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[How to Sequence a Package by Using PowerShell](appv-sequence-a-package-with-powershell.md)</p></td>
<td align="left"><p>Describes how to create a new package using PowerShell.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md)</p></td>
<td align="left"><p>Describes how to create a package accelerator using PowerShell. You can use package accelerators automatically sequence large, complex applications.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[How to Enable Reporting on the App-V Client by Using PowerShell](appv-enable-reporting-on-the-appv-client-with-powershell.md)</p></td>
<td align="left"><p>Describes how to enable the computer running the App-V to send reporting information.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)</p></td>
<td align="left"><p>Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.</p></td>
</tr>
</tbody>
</table>
 
**Important**  
Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for PowerShell.
 
## PowerShell Error Handling
Use the following table for information about App-V PowerShell error handling.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event</th>
<th align="left">Action</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Using the RollbackOnError attribute with embedded scripts</p></td>
<td align="left"><p>When you use the <strong>RollbackOnError</strong> attribute with embedded scripts, the attribute is ignored for the following events:</p>
<ul>
<li><p>Removing a package</p></li>
<li><p>Unpublishing a package</p></li>
<li><p>Terminating a virtual environment</p></li>
<li><p>Terminating a process</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Package name contains <strong>$</strong></p></td>
<td align="left"><p>If a package name contains the character ( <strong>$</strong> ), you must use a single-quote ( <strong></strong> ), for example,</p>
<p><strong>Add-AppvClientPackage Contoso$App.appv</strong></p></td>
</tr>
</tbody>
</table>
 
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

113
windows/manage/appv-administering-virtual-applications-with-the-management-console.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Administering App-V Virtual Applications by Using the Management Console (Windows 10)
description: Administering App-V Virtual Applications by Using the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Administering App-V Virtual Applications by Using the Management Console
Use the Microsoft Application Virtualization (App-V) management server to manage packages, connection groups, and package access in your environment. The server publishes application icons, shortcuts, and file type associations to authorized computers that run the App-V client. One or more management servers typically share a common data store for configuration and package information.
The management server uses Active Directory Domain Services (AD DS) groups to manage user authorization and has SQL Server installed to manage the database and data store.
Because the management servers stream applications to end users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs. The management server consists of the following components:
- Management Server Use the management server to manage packages and connection groups.
- Publishing Server Use the publishing server to deploy packages to computers that run the App-V client.
- Management Database - Use the management database to manage the package access and to publish the servers synchronization with the management server.
## Management Console tasks
The most common tasks that you can perform with the App-V Management console are:
- [How to Connect to the Management Console](appv-connect-to-the-management-console.md)
- [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md)
- [How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md)
- [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
- [How to Delete a Package in the Management Console](appv-delete-a-package-with-the-management-console.md)
- [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md)
- [How to Register and Unregister a Publishing Server by Using the Management Console](appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
- [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md)
- [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
- [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](appv-customize-virtual-application-extensions-with-the-management-console.md)
- [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console](appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
The main elements of the App-V Management Console are:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Management Console tab</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Packages tab</p></td>
<td align="left"><p>Use the <strong>PACKAGES</strong> tab to add or upgrade packages.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Connection Groups tab</p></td>
<td align="left"><p>Use the <strong>CONNECTION GROUPS</strong> tab to manage connection groups.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Servers tab</p></td>
<td align="left"><p>Use the <strong>SERVERS</strong> tab to register a new server.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Administrators tab</p></td>
<td align="left"><p>Use the <strong>ADMINISTRATORS</strong> tab to register, add, or remove administrators in your App-V environment.</p></td>
</tr>
</tbody>
</table>
 
**Important**  
JavaScript must be enabled on the browser that opens the Web Management Console.
 
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## <a href="" id="other-resources-for-this-app-v-5-1-deployment-"></a>Other resources for this App-V deployment
- [Application Virtualization (App-V) overview](appv-for-windows.md)
- [Operations for App-V](appv-operations.md)
 
 

70
windows/manage/appv-allow-administrators-to-enable-connection-groups.md Normal file
View File

@ -0,0 +1,70 @@
---
title: How to Allow Only Administrators to Enable Connection Groups (Windows 10)
description: How to Allow Only Administrators to Enable Connection Groups
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Allow Only Administrators to Enable Connection Groups
You can configure the App-V client so that only administrators (not end users) can enable or disable connection groups. In earlier versions of App-V, you could not prevent end users from performing these tasks.
**Note**  
**This feature is supported starting in App-V 5.0 SP3.**
 
Use one of the following methods to allow only administrators to enable or disable connection groups.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Steps</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Group Policy setting</p></td>
<td align="left"><p>Enable the “Require publish as administrator” Group Policy setting, which is located in the following Group Policy Object node:</p>
<p><strong>Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; App-V &gt; Publishing</strong></p></td>
</tr>
<tr class="even">
<td align="left"><p>PowerShell cmdlet</p></td>
<td align="left"><p>Run the <strong>Set-AppvClientConfiguration</strong> cmdlet with the <strong>RequirePublishAsAdmin</strong> parameter.</p>
<p>Parameter values:</p>
<ul>
<li><p>0 - False</p></li>
<li><p>1 - True</p></li>
</ul>
<p><strong>Example:</strong>: Set-AppvClientConfiguration RequirePublishAsAdmin1</p></td>
</tr>
</tbody>
</table>
 
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)
 
 

1291
windows/manage/appv-application-publishing-and-client-interaction.md Normal file
View File

File diff suppressed because it is too large Load Diff

48
windows/manage/appv-apply-the-deployment-configuration-file-with-powershell.md Normal file
View File

@ -0,0 +1,48 @@
---
title: How to Apply the Deployment Configuration File by Using PowerShell (Windows 10)
description: How to Apply the Deployment Configuration File by Using PowerShell
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Apply the Deployment Configuration File by Using PowerShell
The dynamic deployment configuration file is applied when a package is added or set to a computer running the App-V client before the package has been published. The file configures the default settings for package for all users on the computer running the App-V client. This section describes the steps used to use a deployment configuration file. The procedure is based on the following example and assumes the following package and configuration files exist on a computer:
**c:\\Packages\\Contoso\\MyApp.appv**
**c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
**To Apply the Deployment Configuration File Using PowerShell**
- To specify a new default set of configurations for all users who will run the package on a specific computer, using a PowerShell console type the following:
**Add-AppVClientPackage Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
**Note**  
This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
**Set-AppVClientPackage Name Myapp Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
 
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

45
windows/manage/appv-apply-the-user-configuration-file-with-powershell.md Normal file
View File

@ -0,0 +1,45 @@
---
title: How to Apply the User Configuration File by Using PowerShell (Windows 10)
description: How to Apply the User Configuration File by Using PowerShell
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Apply the User Configuration File by Using PowerShell
The dynamic user configuration file is applied when a package is published to a specific user and determines how the package will run.
Use the following procedure to specify a user-specific configuration file. The following procedure is based on the example:
**c:\\Packages\\Contoso\\MyApp.appv**
**To apply a user Configuration file**
1. To add the package to the computer using the PowerShell console type the following command:
**Add-AppVClientPackage c:\\Packages\\Contoso\\MyApp.appv**.
2. Use the following command to publish the package to the user and specify the updated the dynamic user configuration file:
**Publish-AppVClientPackage $pkg DynamicUserConfigurationPath c:\\Packages\\Contoso\\config.xml**
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

958
windows/manage/appv-capacity-planning.md Normal file
View File

@ -0,0 +1,958 @@
---
title: App-V Capacity Planning (Windows 10)
description: App-V Capacity Planning
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# App-V Capacity Planning
The following recommendations can be used as a baseline to help determine capacity planning information that is appropriate to your organizations App-V infrastructure.
**Important**  
Use the information in this section only as a general guide for planning your App-V deployment. Your system capacity requirements will depend on the specific details of your hardware and application environment. Additionally, the performance numbers displayed in this document are examples and your results may vary.
 
## Determine the Project Scope
Before you design the App-V infrastructure, you must determine the projects scope. The scope consists of determining which applications will be available virtually and to also identify the target users, and their locations. This information will help determine what type of App-V infrastructure should be implemented. Decisions about the scope of the project must be based on the specific needs of your organization.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">More Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Determine Application Scope</p></td>
<td align="left"><p>Depending on the applications to be virtualized, the App-V infrastructure can be set up in different ways. The first task is to define what applications you want to virtualize.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Determine Location Scope</p></td>
<td align="left"><p>Location scope refers to the physical locations (for example, enterprise-wide or a specific geographic location) where you plan to run the virtualized applications. It can also refer to the user population (for example, a single department) who will run the virtual applications. You should obtain a network map that includes the connection paths as well as available bandwidth to each location and the number of users using virtualized applications and the WAN link speed.</p></td>
</tr>
</tbody>
</table>
 
## Determine Which App-V Infrastructure is Required
**Important**  
Both of the following models require the App-V client to be installed on the computer where you plan to run virtual applications.
You can also manage your App-V environment using an Electronic Software Distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
 
- **Standalone Model** - The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V in Standalone Mode consists of the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information see, [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md). The stand-alone model is recommended for the following scenarios:
- With disconnected remote users who cannot connect to the App-V infrastructure.
- When you are running a software management system, such as Configuration Manager 2012.
- When network bandwidth limitations inhibit electronic software distribution.
- **Full Infrastructure Model** - The full infrastructure model provides for software distribution, management, and reporting capabilities; it also includes the streaming of applications across the network. The App-V Full Infrastructure Model consists of one or more App-V management servers. The Management Server can be used to publish applications to all clients. The publishing process places the virtual application icons and shortcuts on the target computer. It can also stream applications to local users. For more information about installing the management server see, [Planning for the App-V Server Deployment](appv-planning-for-appv-server-deployment.md). The full infrastructure model is recommended for the following scenarios:
**Important**  
The App-V full infrastructure model requires Microsoft SQL Server to store configuration data. For more information see [App-V Supported Configurations](appv-supported-configurations.md).
 
- When you want to use the Management Server to publish the application to target computers.
- For rapid provisioning of applications to target computers.
- When you want to use App-V reporting.
## End-to-end Server Sizing Guidance
The following section provides information about end-to-end App-V sizing and planning. For more specific information, refer to the subsequent sections.
**Note**  
Round trip response time on the client is the time taken by the computer running the App-V client to receive a successful notification from the publishing server. Round trip response time on the publishing server is the time taken by the computer running the publishing server to receive a successful package metadata update from the management server.
 
- 20,000 clients can target a single publishing server to obtain the package refreshes in an acceptable round trip time. (&lt;3 seconds)
- A single management server can support up to 50 publishing servers for package metadata refreshes in an acceptable round trip time. (&lt;5 seconds)
## <a href="" id="---------app-v-5-1-management-server-capacity-planning-recommendations"></a> App-V Management Server Capacity Planning Recommendations
The App-V publishing servers require the management server for package refresh requests and package refresh responses. The management server then sends the information to the management database to retrieve information. For more information about App-V management server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
**Note**  
The default refresh time on the App-V publishing server is ten minutes.
 
When multiple simultaneous publishing servers contact a single management server for package metadata refreshes, the following three factors influence the round trip response time on the publishing server:
1. Number of publishing servers making simultaneous requests.
2. Number of connection groups configured on the management server.
3. Number of access groups configured on the management server.
The following table displays more information about each factor that impacts round trip time.
**Note**  
Round trip response time is the time taken by the computer running the App-V publishing server to receive a successful package metadata update from the management server.
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Factors impacting round trip response time</th>
<th align="left">More Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>The number of publishing servers simultaneously requesting package metadata refreshes.</p></td>
<td align="left"><p></p>
<ul>
<li><p>A single management server can respond to up to 320 publishing servers requesting publishing metadata simultaneously.</p></li>
<li><p>Round trip response time for 320 pub servers is ~40 seconds.</p></li>
<li><p>For &lt;50 publishing servers requesting metadata simultaneously, the round trip response time is &lt;5 seconds.</p></li>
<li><p>From 50 to 320 publishing servers, the response time increases linearly (approximately 2x).</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>The number of connection groups configured on the management server.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>For up to 100 connection groups, there is no significant change in the round trip response time on the publishing server.</p></li>
<li><p>For 100 - 400 connection groups, there is a minor linear increase in the round trip response time.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>The number of access groups configured on the management server.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>For up to 40 access groups, there is a linear (approximately 3x) increase in the round trip response time on the publishing server.</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-Vmanagement server.
<table>
<colgroup>
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Variation</th>
<th align="left">Number of connection groups</th>
<th align="left">Number of access groups</th>
<th align="left">Number of publishing servers</th>
<th align="left">Network connection type publishing server / management server</th>
<th align="left">Round trip response time on the publishing server (in seconds)</th>
<th align="left">CPU utilization on management server</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Publishing servers simultaneously contacting management server for publishing metadata.</p></td>
<td align="left"><p>Number of publishing servers</p></td>
<td align="left"><p></p>
<ul>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>50</p></li>
<li><p>100</p></li>
<li><p>200</p></li>
<li><p>300</p></li>
<li><p>315</p></li>
<li><p>320</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>5</p></li>
<li><p>10</p></li>
<li><p>19</p></li>
<li><p>32</p></li>
<li><p>30</p></li>
<li><p>37</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>17</p></li>
<li><p>17</p></li>
<li><p>17</p></li>
<li><p>15</p></li>
<li><p>17</p></li>
<li><p>15</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Publishing metadata contains connection groups</p></td>
<td align="left"><p>Number of connection groups</p></td>
<td align="left"><p></p>
<ul>
<li><p>10</p></li>
<li><p>50</p></li>
<li><p>100</p></li>
<li><p>150</p></li>
<li><p>300</p></li>
<li><p>400</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
<li><p>1</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>10</p></li>
<li><p>11</p></li>
<li><p>11</p></li>
<li><p>16</p></li>
<li><p>22</p></li>
<li><p>25</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>17</p></li>
<li><p>19</p></li>
<li><p>22</p></li>
<li><p>19</p></li>
<li><p>20</p></li>
<li><p>20</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Publishing metadata contains access groups</p></td>
<td align="left"><p>Number of access groups</p></td>
<td align="left"><p></p>
<ul>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
<li><p>0</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>10</p></li>
<li><p>20</p></li>
<li><p>40</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
<li><p>100</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>10</p></li>
<li><p>43</p></li>
<li><p>153</p></li>
<li><p>535</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>17</p></li>
<li><p>26</p></li>
<li><p>24</p></li>
<li><p>24</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example: Transactions/sec is ~30, batch requests ~200, and user connects ~6.
Using a geographically distributed deployment, where the management server & publishing servers utilize a slow link network between them, the round trip response time on the publishing servers is within acceptable time limits (&lt;5 seconds), even for 100 simultaneous requests on a single management server.
<table>
<colgroup>
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Variation</th>
<th align="left">Number of connection groups</th>
<th align="left">Number of access groups</th>
<th align="left">Number of publishing servers</th>
<th align="left">Network connection type publishing server / management server</th>
<th align="left">Round trip response time on the publishing server (in seconds)</th>
<th align="left">CPU utilization on management server</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Network connection between the publishing server and management server</p></td>
<td align="left"><p>1.5 Mbps Slow link Network</p></td>
<td align="left"><p></p>
<ul>
<li><p>0</p></li>
<li><p>0</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>1</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>50</p></li>
<li><p>100</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1.5Mbps Cable DSL</p></li>
<li><p>1.5Mbps Cable DSL</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>4</p></li>
<li><p>5</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>2</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Network connection between the publishing server and management server</p></td>
<td align="left"><p>LAN / WIFI Network</p></td>
<td align="left"><p></p>
<ul>
<li><p>0</p></li>
<li><p>0</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>1</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>200</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>Wifi</p></li>
<li><p>Wifi</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>11</p></li>
<li><p>20</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>15</p></li>
<li><p>17</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
Whether the management server and publishing servers are connected over a slow link network, or a high speed network, the management server can handle approximately 15,000 package refresh requests in 30 minutes.
## <a href="" id="---------app-v-5-1-reporting-server-capacity-planning-recommendations"></a> App-V Reporting Server Capacity Planning Recommendations
App-V clients send reporting data to the reporting server. The reporting server then records the information in the Microsoft SQL Server database and returns a successful notification back to the computer running App-V client. For more information about App-V Reporting Server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
**Note**  
Round trip response time is the time taken by the computer running the App-V client to send the reporting information to the reporting server and receive a successful notification from the reporting server.
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Summary</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Multiple App-V clients send reporting information to the reporting server simultaneously.</p></td>
<td align="left"><p></p>
<ul>
<li><p>Round trip response time from the reporting server is 2.6 seconds for 500 clients.</p></li>
<li><p>Round trip response time from the reporting server is 5.65 seconds for 1000 clients.</p></li>
<li><p>Round trip response time increases linearly depending on number of clients.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Requests per second processed by the reporting server.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>A single reporting server and a single database, can process a maximum of 139 requests per second. The average is 121 requests/second.</p></li>
<li><p>Using two reporting servers reporting to the same Microsoft SQL Server database, the average requests/second is similar to a single reporting server = ~127, with a max of 278 requests/second.</p></li>
<li><p>A single reporting server can process 500 concurrent/active connections.</p></li>
<li><p>A single reporting server can process a maximum 1500 concurrent connections.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Reporting Database.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>Lock contention on the computer running Microsoft SQL Server is the limiting factor for requests/second.</p></li>
<li><p>Throughput and response time are independent of database size.</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
**Calculating random delay**:
The random delay specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between **0** and **ReportingRandomDelay** and will wait the specified duration before sending data.
Random delay = 4 \* number of clients / average requests per second.
Example: For 500 clients, with 120 requests per second, the Random delay is, 4 \* 500 / 120 = ~17 minutes.
## <a href="" id="---------app-v-5-1-publishing-server-capacity-planning-recommendations"></a> App-V Publishing Server Capacity Planning Recommendations
Computers running the App-V client connect to the App-V publishing server to send a publishing refresh request and to receive a response. Round trip response time is measured on the computer running the App-V client. Processor time is measured on the publishing server. For more information about App-V Publishing Server supported configurations see [App-V Supported Configurations](appv-supported-configurations.md).
**Important**  
The following list displays the main factors to consider when setting up the App-V publishing server:
- The number of clients connecting simultaneously to a single publishing server.
- The number of packages in each refresh.
- The available network bandwidth in your environment between the client and the App-V publishing server.
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Summary</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Multiple App-V clients connect to a single publishing server simultaneously.</p></td>
<td align="left"><p></p>
<ul>
<li><p>A publishing server running dual core processors can respond to at most 5000 clients requesting a refresh simultaneously.</p></li>
<li><p>For 5000-10000 clients, the publishing server requires a minimum quad core.</p></li>
<li><p>For 10000-20000 clients, the publishing server should have dual quad cores for more efficient response times.</p></li>
<li><p>A publishing server with a quad core can refresh up to 10000 packages within 3 seconds. (Supporting 10000 simultaneous clients)</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Number of packages in each refresh.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>Increasing number of packages will increase response time by ~40% (up to 1000 packages).</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Network between the App-V client and the publishing server.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>Across a slow network (1.5 Mbps bandwidth), there is a 97% increase in response time compared to LAN (up to 1000 users).</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
**Note**  
The publishing server CPU usage is always high during the time interval when it has to process simultaneous requests (&gt;90% in most cases). The publishing server can handle ~1500 client requests in 1 second.
 
<table>
<colgroup>
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
<col width="12%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Variation</th>
<th align="left">Number of App-V clients</th>
<th align="left">Number of packages</th>
<th align="left">Processor configuration on the publishing server</th>
<th align="left">Network connection type publishing server / App-V client</th>
<th align="left">Round trip time on the App-V client (in seconds)</th>
<th align="left">CPU utilization on publishing server (in %)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>App-V client sends publishing refresh request &amp; receives response, each request containing 120 packages</p></td>
<td align="left"><p>Number of clients</p></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>1000</p></li>
<li><p>5000</p></li>
<li><p>10000</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>120</p></li>
<li><p>120</p></li>
<li><p>120</p></li>
<li><p>120</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>Dual Core</p></li>
<li><p>Dual Core</p></li>
<li><p>Quad Core</p></li>
<li><p>Quad Core</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1</p></li>
<li><p>2</p></li>
<li><p>2</p></li>
<li><p>3</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>99</p></li>
<li><p>89</p></li>
<li><p>77</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Multiple packages in each refresh</p></td>
<td align="left"><p>Number of packages</p></td>
<td align="left"><p></p>
<ul>
<li><p>1000</p></li>
<li><p>1000</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>500</p></li>
<li><p>1000</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>Quad Core</p></li>
<li><p>Quad Core</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>2</p></li>
<li><p>3</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>92</p></li>
<li><p>91</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Network between client and publishing server</p></td>
<td align="left"><p>1.5 Mbps Slow link network</p></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>500</p></li>
<li><p>1000</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>120</p></li>
<li><p>120</p></li>
<li><p>120</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>Quad Core</p></li>
<li><p>Quad Core</p></li>
<li><p>Quad Core</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1.5 Mbps Intra-Continental Network</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>3</p></li>
<li><p>10 (with 0.2% failure rate)</p></li>
<li><p>17 (with 1% failure rate)</p></li>
</ul></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
 
## <a href="" id="---------app-v-5-1-streaming-capacity-planning-recommendations"></a> App-V Streaming Capacity Planning Recommendations
Computers running the App-V client stream the virtual application package from the streaming server. Round trip response time is measured on the computer running the App-V client, and is the time taken to stream the entire package.
**Important**  
The following list identifies the main factors to consider when setting up the App-V streaming server:
- The number of clients streaming application packages simultaneously from a single streaming server.
- The size of the package being streamed.
- The available network bandwidth in your environment between the client and the streaming server.
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Summary</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Multiple App-V clients stream applications from a single streaming server simultaneously.</p></td>
<td align="left"><p></p>
<ul>
<li><p>If the number of clients simultaneously streaming from the same server increases, there is a linear relationship with the package download/streaming time.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Size of the package being streamed.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>The package size has a significant impact on the streaming/download time only for larger packages with a size ~ 1GB. For package sizes ranging from 3 MB to 100 MB, the streaming time ranges from 20 seconds to 100 seconds, with 100 simultaneous clients.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Network between the App-V client and the streaming server.</p>
<p></p></td>
<td align="left"><p></p>
<ul>
<li><p>Across a slow network (1.5 Mbps bandwidth), there is a 70-80% increase in response time compared to LAN (up to 100 users).</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
The following table displays sample values for each of the factors in the previous list:
<table style="width:100%;">
<colgroup>
<col width="16%" />
<col width="16%" />
<col width="16%" />
<col width="16%" />
<col width="16%" />
<col width="16%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Scenario</th>
<th align="left">Variation</th>
<th align="left">Number of App-V clients</th>
<th align="left">Size of each package</th>
<th align="left">Network connection type streaming server / App-V client</th>
<th align="left">Round trip time on the App-V client (in seconds)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Multiple App-V clients streaming virtual application packages from a streaming server.</p></td>
<td align="left"><p>Number of clients.</p></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>200</p></li>
<li><p>1000</p></li>
<li><p></p></li>
<li><p>100</p></li>
<li><p>200</p></li>
<li><p>1000</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>3.5 MB</p></li>
<li><p>3.5 MB</p></li>
<li><p>3.5 MB</p></li>
<li><p></p></li>
<li><p>5 MB</p></li>
<li><p>5 MB</p></li>
<li><p>5 MB</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p></p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>29</p></li>
<li><p>39</p></li>
<li><p>391</p></li>
<li><p></p></li>
<li><p>35</p></li>
<li><p>68</p></li>
<li><p>461</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Size of each package being streamed.</p></td>
<td align="left"><p>Size of each package.</p></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p>200</p></li>
<li><p></p></li>
<li><p>100</p></li>
<li><p>200</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>21 MB</p></li>
<li><p>21 MB</p></li>
<li><p></p></li>
<li><p>109</p></li>
<li><p>109</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
<li><p></p></li>
<li><p>LAN</p></li>
<li><p>LAN</p></li>
</ul></td>
<td align="left"><p></p>
<p>33</p>
<p>83</p>
<p></p>
<p>100</p>
<p>160</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Network connection between client and App-V streaming server.</p></td>
<td align="left"><p>1.5 Mbps Slow link network.</p></td>
<td align="left"><p></p>
<ul>
<li><p>100</p></li>
<li><p></p></li>
<li><p>100</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>3.5 MB</p></li>
<li><p></p></li>
<li><p>5 MB</p></li>
</ul></td>
<td align="left"><p></p>
<ul>
<li><p>1.5 Mbps Intra-Continental Network</p></li>
</ul></td>
<td align="left"><p></p>
<p>102</p>
<p></p>
<p>121</p></td>
</tr>
</tbody>
</table>
 
Each App-V streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications.
**Note**  
The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the servers network activity, and network conditions.
 
For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real world environments streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment in order to properly size the number of required streaming servers.
The number of clients a streaming server can support can be significantly increased and the peak streaming requirements reduced if you pre-cache your applications. You can also increase the number of clients a streaming server can support by using on-demand streaming delivery and stream optimized packages.
## Combining App-V Server Roles
Discounting scaling and fault-tolerance requirements, the minimum number of servers needed for a location with connectivity to Active Directory is one. This server will host the management server, management server service, and Microsoft SQL Server roles. Server roles, therefore, can be arranged in any desired combination since they do not conflict with one another.
Ignoring scaling requirements, the minimum number of servers necessary to provide a fault-tolerant implementation is four. The management server, and Microsoft SQL Server roles support being placed in fault-tolerant configurations. The management server service can be combined with any of the roles, but remains a single point of failure.
Although there are a number of fault-tolerance strategies and technologies available, not all are applicable to a given service. Additionally, if App-V roles are combined, certain fault-tolerance options may no longer apply due to incompatibilities.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[App-V Supported Configurations](appv-supported-configurations.md)
[Planning for High Availability with App-V](appv-planning-for-high-availability-with-appv.md)
[Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
 
 

113
windows/manage/appv-client-configuration-settings.md Normal file
View File

@ -0,0 +1,113 @@
---
title: About Client Configuration Settings (Windows 10)
description: About Client Configuration Settings
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# About Client Configuration Settings
The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. You can gather some useful information about the client if you understand the format of data in the registry. You can also configure many client actions by changing registry entries. This topic lists the App-V Client configuration settings and explains their uses. You can use PowerShell to modify the client configuration settings. For more information about using PowerShell and App-V see [Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md).
## App-V Client Configuration Settings: Windows PowerShell
The following table provides information about App-V client configuration settings that can be configured through Windows PowerShell cmdlets:
| **Name of option in Windows PowerShell**<br>Type | Description | Cmdlet or cmdlets for setting | Disabled Policy State Keys and Values |
|------------|------------|------------|------------|
| **PackageInstallationRoot**<br>String | Specifies directory where all new applications and updates will be installed. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **PackageSourceRoot**<br>String | Overrides source location for downloading package content. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **AllowHighCostLaunch**<br>True (enabled); False (Disabled state) | This setting controls whether virtualized applications are launched on Windows 10 machines connected via a metered network connection (For example, 4G). | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | 0 |
| **ReestablishmentRetries**<br>Integer (0-99) | Specifies the number of times to retry a dropped session. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReestablishmentInterval**<br>Integer (0-3600) | Specifies the number of seconds between attempts to reestablish a dropped session. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **LocationProvider**<br>String | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **CertFilterForClientSsl**<br>String | Specifies the path to a valid certificate in the certificate store. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **VerifyCertificateRevocationList**<br>True(enabled); False(Disabled state) | Verifies Server certificate revocation status before steaming using HTTPS. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | 0 |
| **SharedContentStoreMode**<br>True(enabled); False(Disabled state) | Specifies that streamed package contents will be not be saved to the local hard disk. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | 0 |
| **Name**<br>String | Displays the name of publishing server. | Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **URL**<br>String | Displays the URL of publishing server. | Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **GlobalRefreshEnabled**<br>True(enabled); False(Disabled state) | Enables global publishing refresh (Boolean) | Set-AppvPublishingServer | False |
| **GlobalRefreshOnLogon**<br>True(enabled); False(Disabled state) | Triggers a global publishing refresh on logon. ( Boolean) | Set-AppvPublishingServer | False |
| **GlobalRefreshInterval**<br>Integer (0-744) | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. | Set-AppvPublishingServer | 0 |
| **GlobalRefreshIntervalUnit** <br>0 for hour, 1 for day | Specifies the interval unit (Hour 0-23, Day 0-31). | Set-AppvPublishingServer | 1 |
| **UserRefreshEnabled**<br>True(enabled); False(Disabled state) | Enables user publishing refresh (Boolean) | Set-AppvPublishingServer | False |
| **UserRefreshOnLogon**<br>True(enabled); False(Disabled state) | Triggers a user publishing refresh onlogon. ( Boolean)Word count (with spaces): 60 | Set-AppvPublishingServer | False |
| **UserRefreshInterval**<br>Word count (with spaces): 85Integer (0-744 Hours) | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. | Set-AppvPublishingServer | 0 |
| **UserRefreshIntervalUnit**<br>0 for hour, 1 for day | Specifies the interval unit (Hour 0-23, Day 0-31). | Set-AppvPublishingServer | 1 |
| **MigrationMode**<br>True(enabled state); False (disabled state) | Migration mode allows the App-V client to modify shortcuts and FTAs for packages created using a previous version of App-V. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | |
| **EnablePackageScripts**<br>True(enabled); False(Disabled state) | Enables scripts defined in the package manifest of configuration files that should run. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | |
| **RoamingFileExclusions**<br>String | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS='desktop;my pictures' | Set-AppvClientConfiguration | |
| **RoamingRegistryExclusions**<br>String | Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **IntegrationRootUser**<br>String | Specifies the location to create symbolic links associated with the current version of a per-user published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %localappdata%\\Microsoft\\AppV\\Client\\Integration. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **IntegrationRootGlobal**<br>String | Specifies the location to create symbolic links associated with the current version of a globally published package. all virtual application extensions, for example shortcuts and file type associations, will point to this path. If you do not specify a path, symbolic links will not be used when you publish the package. For example: %allusersprofile%\\Microsoft\\AppV\\Client\\Integration | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **VirtualizableExtensions**<br>String | A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](https://microsoft.sharepoint.com/teams/osg_core_dcp/cpub/partner/Shared%20Documents/APPV&UEV-for-Windows-RS1/App-V/App-V%20updated%20topics%20from%20JAN%20-%20PM%20reviews/appv-running-locally-installed-applications-inside-a-virtual-environment.md). | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written |
| **ReportingEnabled**<br>True (enabled); False (Disabled state) | Enables the client to return information to a reporting server. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | False |
| **ReportingServerURL**<br>String | Specifies the location on the reporting server where client information is saved. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReportingDataCacheLimit**<br>Integer \[0-1024\] | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReportingDataBlockSize**<br>Integer \[1024 - Unlimited\] | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReportingStartTime**<br>Integer (0 23) | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.<br>**Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReportingInterval**<br>Integer | Specifies the retry interval that the client will use to resend data to the reporting server. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **ReportingRandomDelay**<br>Integer \[0 - ReportingRandomDelay\] | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Policy value not written (same as Not Configured) |
| **EnableDynamicVirtualization<br>**1 (Enabled), 0 (Disabled) | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | |
| **EnablePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled) | Enables the publishing refresh progress bar for the computer running the App-V Client. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | |
| **HidePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled) | Hides the publishing refresh progress bar. | Sync-AppvPublishingServer | |
| **ProcessesUsingVirtualComponents**<br>String | Specifies a list of process paths (that may contain wildcards), which are candidates for using dynamic virtualization (supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization. | Set-AppvClientConfiguration,<br>Set-AppvPublishingServer | Empty string. |
## App-V Client Configuration Settings: Setup Flags and Registry Keys
The following table provides information about App-V client configuration settings that can be configured through setup flags or in the registry:
| **Setting name**<br>Type | Setup Flag | Registry Key Value | Disabled Policy State Keys and Values |
|--------------------------------------------------------------------------------|---------------------------|-------------------------------------------------------------------------|---------------------------------------------------|
| **PackageInstallationRoot**<br>String | PACKAGEINSTALLATIONROOT | Streaming\\PackageInstallationRoot | Policy value not written (same as Not Configured) |
| **PackageSourceRoot**<br>String | PACKAGESOURCEROOT | Streaming\\PackageSourceRoot | Policy value not written (same as Not Configured) |
| **AllowHighCostLaunch**<br>True (enabled); False (Disabled state) | Not available. | Streaming\\AllowHighCostLaunch | 0 |
| **ReestablishmentRetries**<br>Integer (0-99) | Not available. | Streaming\\ReestablishmentRetries | Policy value not written (same as Not Configured) |
| **ReestablishmentInterval**<br>Integer (0-3600) | Not available. | Streaming\\ReestablishmentInterval | Policy value not written (same as Not Configured) |
| **LocationProvider**<br>String | Not available. | Streaming\\LocationProvider | Policy value not written (same as Not Configured) |
| **CertFilterForClientSsl**<br>String | Not available. | Streaming\\CertFilterForClientSsl | Policy value not written (same as Not Configured) |
| **VerifyCertificateRevocationList**<br>True(enabled); False(Disabled state) | Not available. | Streaming\\VerifyCertificateRevocationList | 0 |
| **SharedContentStoreMode**<br>True(enabled); False(Disabled state) | SHAREDCONTENTSTOREMODE | Streaming\\SharedContentStoreMode | 0 |
| **Name**<br>String | PUBLISHINGSERVERNAME | Publishing\\Servers{serverId}\\FriendlyName | Policy value not written (same as Not Configured) |
| **URL**<br>String | PUBLISHINGSERVERURL | Publishing\\Servers{serverId}\\URL | Policy value not written (same as Not Configured) |
| **GlobalRefreshEnabled**<br>True(enabled); False(Disabled state) | GLOBALREFRESHENABLED | Publishing\\Servers{serverId}\\GlobalEnabled | False |
| **GlobalRefreshOnLogon**<br>True(enabled); False(Disabled state) | GLOBALREFRESHONLOGON | Publishing\\Servers{serverId}\\GlobalLogonRefresh | False |
| **GlobalRefreshInterval**<br>Integer (0-744) | GLOBALREFRESHINTERVAL | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshInterval | 0 |
| **GlobalRefreshIntervalUnit** <br>0 for hour, 1 for day | GLOBALREFRESHINTERVALUNI | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshIntervalUnit | 1 |
| **UserRefreshEnabled**<br>True(enabled); False(Disabled state) | USERREFRESHENABLED | Publishing\\Servers{serverId}\\UserEnabled | False |
| **UserRefreshOnLogon**<br>True(enabled); False(Disabled state) | USERREFRESHONLOGON | Publishing\\Servers{serverId}\\UserLogonRefresh | False |
| **UserRefreshInterval**<br>Word count (with spaces): 85Integer (0-744 Hours) | USERREFRESHINTERVAL | Publishing\\Servers{serverId}\\UserPeriodicRefreshInterval | 0 |
| **UserRefreshIntervalUnit**<br>0 for hour, 1 for day | USERREFRESHINTERVALUNIT | Publishing\\Servers{serverId}\\UserPeriodicRefreshIntervalUnit | 1 |
| **MigrationMode**<br>True(enabled state); False (disabled state) | MIGRATIONMODE | Coexistence\\MigrationMode | |
| **EnablePackageScripts**<br>True(enabled); False(Disabled state) | ENABLEPACKAGESCRIPTS | \\Scripting\\EnablePackageScripts | |
| **RoamingFileExclusions**<br>String | ROAMINGFILEEXCLUSIONS | | |
| **RoamingRegistryExclusions**<br>String | ROAMINGREGISTRYEXCLUSIONS | Integration\\RoamingReglstryExclusions | Policy value not written (same as Not Configured) |
| **IntegrationRootUser**<br>String | Not available. | Integration\\IntegrationRootUser | Policy value not written (same as Not Configured) |
| **IntegrationRootGlobal**<br>String | Not available. | Integration\\IntegrationRootGlobal | Policy value not written (same as Not Configured) |
| **VirtualizableExtensions**<br>String | Not available. | Integration\\VirtualizableExtensions | Policy value not written |
| **ReportingEnabled**<br>True (enabled); False (Disabled state) | Not available. | Reporting\\EnableReporting | False |
| **ReportingServerURL**<br>String | Not available. | Reporting\\ReportingServer | Policy value not written (same as Not Configured) |
| **ReportingDataCacheLimit**<br>Integer \[0-1024\] | Not available. | Reporting\\DataCacheLimit | Policy value not written (same as Not Configured) |
| **ReportingDataBlockSize**<br>Integer \[1024 - Unlimited\] | Not available. | Reporting\\DataBlockSize | Policy value not written (same as Not Configured) |
| **ReportingStartTime**<br>Integer (0 23) | Not available. | Reporting\\ StartTime | Policy value not written (same as Not Configured) |
| **ReportingInterval**<br>Integer | Not available. | Reporting\\RetryInterval | Policy value not written (same as Not Configured) |
| **ReportingRandomDelay**<br>Integer \[0 - ReportingRandomDelay\] | Not available. | Reporting\\RandomDelay | Policy value not written (same as Not Configured) |
| **EnableDynamicVirtualization<br>**1 (Enabled), 0 (Disabled) | Not available. | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Virtualization | |
| **EnablePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled) | Not available. | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Publishing | |
| **HidePublishingRefreshUI**<br>1 (Enabled), 0 (Disabled) | Not available. | | |
| **ProcessesUsingVirtualComponents**<br>String | Not available. | Virtualization\\ProcessesUsingVirtualComponents | Empty string. |
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
[How to Modify App-V Client Configuration Using the ADMX Template and Group Policy](appv-modify-client-configuration-with-the-admx-template-and-group-policy.md)

72
windows/manage/appv-configure-access-to-packages-with-the-management-console.md Normal file
View File

@ -0,0 +1,72 @@
---
title: How to Configure Access to Packages by Using the Management Console (Windows 10)
description: How to Configure Access to Packages by Using the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Configure Access to Packages by Using the Management Console
Before you deploy an App-V virtualized package, you must configure the Active Directory Domain Services (AD DS) security groups that will be allowed to access and run the applications. The security groups may contain computers or users. Entitling a package to a computer group publishes the package globally to all computers in the group.
Use the following procedure to configure access to virtualized packages.
**To grant access to an App-V package**
1. Find the package you want to configure:
1. Open the App-V Management console.
2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
2. Provision a security group for the package:
1. Go to the **FIND VALID ACTIVE DIRECTORY NAMES AND GRANT ACCESS** page.
2. Using the format **mydomain** \\ **groupname**, type the name or part of the name of an Active Directory group object, and click **Check**.
**Note**  
Ensure that you provide an associated domain name for the group that you are searching for.
 
3. To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
4.
To accept the default configuration settings and close the **AD ACCESS** page, click **Close**.
To customize configurations for a specific group, click the **ASSIGNED CONFIGURATIONS** drop-down and select **Custom**. To configure the custom configurations, click **EDIT**. After you grant access, click **Close**.
**To remove access to an App-V package**
1. Find the package you want to configure:
1. Open the App-V Management console.
2. To display the **AD ACCESS** page, right-click the package to be configured, and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
2. Select the group you want to remove, and click **DELETE**.
3. To close the **AD ACCESS** page, click **Close**.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

104
windows/manage/appv-configure-connection-groups-to-ignore-the-package-version.md Normal file
View File

@ -0,0 +1,104 @@
---
title: How to Make a Connection Group Ignore the Package Version (Windows 10)
description: How to Make a Connection Group Ignore the Package Version
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Make a Connection Group Ignore the Package Version
Microsoft Application Virtualization (App-V) lets you configure a connection group to use any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
To upgrade a package in some earlier versions of App-V, you had to perform several steps, including disabling the connection group and modifying the connection groups XML definition file.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task description with App-V</th>
<th align="left">How to perform the task with App-V</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>You can configure a connection group to accept any version of a package, which enables you to upgrade the package without having to disable the connection group.</p>
<p><strong>How the feature works:</strong></p>
<ul>
<li><p>If the connection group has access to multiple versions of a package, the latest version is used.</p></li>
<li><p>If the connection group contains an optional package that has an incorrect version, the package is ignored and wont block the connection groups virtual environment from being created.</p></li>
<li><p>If the connection group contains a non-optional package that has an incorrect version, the connection groups virtual environment cannot be created.</p></li>
</ul></td>
<td align="left"><table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Steps</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>App-V Server Management Console</p></td>
<td align="left"><ol>
<li><p>In the Management Console, select <strong>CONNECTION GROUPS</strong>.</p></li>
<li><p>Select the correct connection group from the Connection Groups library.</p></li>
<li><p>Click <strong>EDIT</strong> in the CONNECTED PACKAGES pane.</p></li>
<li><p>Select <strong>Use Any Version</strong> check box next to the package name, and click <strong>Apply</strong>.</p></li>
</ol>
<p>For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>App-V Client on a Stand-alone computer</p></td>
<td align="left"><ol>
<li><p>Create the connection group XML document.</p></li>
<li><p>For the package to be upgraded, set the <strong>Package</strong> tag attribute <strong>VersionID</strong> to an asterisk (<strong>*</strong>).</p></li>
<li><p>Use the following cmdlet to add the connection group, and include the path to the connection group XML document:</p>
<p><strong>Add-AppvClientConnectionGroup</strong></p></li>
<li><p>When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:</p>
<ul>
<li><p>RemoveAppvClientPackage</p></li>
<li><p>Add-AppvClientPackage</p></li>
<li><p>Publish-AppvClientPackage</p></li>
</ul></li>
</ol>
<p>For more information, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).</p>
</td>
</tr>
</tbody>
</table>
<p> </p></td>
</tr>
</tbody>
</table>
 
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)
 
 

82
windows/manage/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md Normal file
View File

@ -0,0 +1,82 @@
---
title: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server (Windows 10)
description: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
Deploying packages and connection groups using the App-V publishing server is helpful because it offers single-point management and high scalability.
Use the following steps to configure the App-V client to receive updates from the publishing server.
**Note**  
For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**.
 
**To configure the App-V client to receive updates from the publishing server**
1. Deploy the App-V management and publishing servers, and add the required packages and connection groups. For more information about adding packages and connection groups, see [How to Add or Upgrade Packages by Using the Management Console](appv-add-or-upgrade-packages-with-the-management-console.md) and [How to Create a Connection Group](appv-create-a-connection-group.md).
2. To open the management console click the following link, open a browser and type the following: http://MyMgmtSrv/AppvManagement/Console.html in a web browser, and import, publish, and entitle all the packages and connection groups which will be necessary for a particular set of users.
3. On the computer running the App-V client, open an elevated PowerShell command prompt, run the following command:
**Add-AppvPublishingServer  -Name  ABC  -URL  http:// MyPubSrv/AppvPublishing**
This command will configure the specified publishing server. You should see output similar to the following:
Id                        : 1
SetByGroupPolicy          : False
Name                      : ABC
URL                       : http:// MyPubSrv/AppvPublishing
GlobalRefreshEnabled      : False
GlobalRefreshOnLogon      : False
GlobalRefreshInterval     : 0
GlobalRefreshIntervalUnit : Day
UserRefreshEnabled        : True
UserRefreshOnLogon        : True
UserRefreshInterval       : 0
UserRefreshIntervalUnit   : Day
The returned Id in this case 1
4. On the computer running the App-V client, open a PowerShell command prompt, and type the following command:
**Sync-AppvPublishingServer  -ServerId  1**
The command will query the publishing server for the packages and connection groups that need to be added or removed for this particular client based on the entitlements for the packages and connection groups as configured on the management server.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

27
windows/manage/appv-connect-to-the-management-console.md Normal file
View File

@ -0,0 +1,27 @@
---
title: How to Connect to the Management Console (Windows 10)
description: How to Connect to the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Connect to the Management Console
Use the following procedure to connect to the App-V Management Console.
**To connect to the App-V Management Console**
1. Open Internet Explorer browser and type the address for the App-V. For example, **http://\<_management server name_\>:\<_management service port number_\>/console.html**.
2. To view different sections of the console, click the desired section in the navigation pane.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Operations for App-V](appv-operations.md)

292
windows/manage/appv-connection-group-file.md Normal file
View File

@ -0,0 +1,292 @@
---
title: About the Connection Group File (Windows 10)
description: About the Connection Group File
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# About the Connection Group File
**In this topic:**
- [Connection group file purpose and location](#bkmk-cg-purpose-loc)
- [Structure of the connection group XML file](#bkmk-define-cg-5-0sp3)
- [Configuring the priority of packages in a connection group](#bkmk-config-pkg-priority-incg)
- [Supported virtual application connection configurations](#bkmk-va-conn-configs)
## <a href="" id="bkmk-cg-purpose-loc"></a>Connection group file purpose and location
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>Connection group purpose</p></td>
<td align="left"><p>A connection group is an App-V feature that enables you to group packages together to create a virtual environment in which the applications in those packages can interact with each other.</p>
<p>Example: You want to use plug-ins with Microsoft Office. You can create a package that contains the plug-ins, and create another package that contains Office, and then add both packages to a connection group to enable Office to use those plug-ins.</p></td>
</tr>
<tr class="even">
<td align="left"><p>How the connection group file works</p></td>
<td align="left"><p>When you apply an App-V connection group file, the packages that are enumerated in the file will be combined at runtime into a single virtual environment. Use the Microsoft Application Virtualization (App-V) connection group file to configure existing App-V connection groups.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Example file path</p></td>
<td align="left"><p>%APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.</p></td>
</tr>
</tbody>
</table>
 
## <a href="" id="bkmk-define-cg-5-0sp3"></a>Structure of the connection group XML file
**In this section:**
- [Parameters that define the connection group](#bkmk-params-define-cg)
- [Parameters that define the packages in the connection group](#bkmk-params-define-pkgs-incg)
- [App-V example connection group XML file](#bkmk-50sp3-exp-cg-xml)
### <a href="" id="bkmk-params-define-cg"></a>Parameters that define the connection group
The following table describes the parameters in the XML file that define the connection group itself, not the packages.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Field</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Schema name</p></td>
<td align="left"><p>Name of the schema.</p>
<p>If you want to use the “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:</p>
<p><code>xmlns=&quot;http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup&quot;</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>AppConnectionGroupId</p></td>
<td align="left"><p>Unique GUID identifier for this connection group. The connection group state is associated with this identifier. Specify this identifier only when you create the connection group.</p>
<p>You can create a new GUID by typing: <strong>[Guid]::NewGuid()</strong>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>VersionId</p></td>
<td align="left"><p>Version GUID identifier for this version of the connection group.</p>
<p>When you update a connection group (for example, by adding or updating a new package), you must update the version GUID to reflect the new version.</p></td>
</tr>
<tr class="even">
<td align="left"><p>DisplayName</p></td>
<td align="left"><p>Display name of the connection group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Priority</p></td>
<td align="left"><p>Optional priority field for the connection group.</p>
<p><strong>“0”</strong> - indicates the highest priority.</p>
<p>If a priority is required, but has not been configured, the package will fail because the correct connection group to use cannot be determined.</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="bkmk-params-define-pkgs-incg"></a>Parameters that define the packages in the connection group
In the &lt;Packages&gt; section of the connection group XML file, you list the member packages in the connection group by specifying each packages unique package identifier and version identifier, as described in the following table. The first package in the list has the highest precedence.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Field</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>PackageId</p></td>
<td align="left"><p>Unique GUID identifier for this package. This GUID doesnt change when newer versions of the package are published.</p></td>
</tr>
<tr class="even">
<td align="left"><p>VersionId</p></td>
<td align="left"><p>Unique GUID identifier for the version of the package.</p>
<p>If you specify <strong>“*”</strong> for the package version, the GUID of the latest available package version is dynamically inserted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>IsOptional</p></td>
<td align="left"><p>Parameter that enables you to make a package optional within the connection group. Valid entries are:</p>
<ul>
<li><p><strong>“true”</strong> package is optional in the connection group</p></li>
<li><p><strong>“false”</strong> package is required in the connection group</p></li>
</ul>
</td>
</tr>
</tbody>
</table>
 
### <a href="" id="bkmk-50sp3-exp-cg-xml"></a>App-V example connection group XML file
The following example connection group XML file shows examples of the fields in the previous tables.
```
<?xml version="1.0" encoding="UTF-16"?>
<appv:AppConnectionGroup
xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
xmlns:appv="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
AppConnectionGroupId="61BE9B14-D2B4-41CE-A6E3-A1B658DE7000"
VersionId="E6B6AA57-F2A7-49C9-ADF8-F2B5B3C8A42F"
Priority="0"
DisplayName="Sample Connection Group">
<appv:Packages>
<appv:Package
PackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"
VersionId="*"
IsOptional=”true”
/>
<appv:Package
PackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"
VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"
IsOptional=”false”
/>
</appv:Packages>
```
## <a href="" id="bkmk-config-pkg-priority-incg"></a>Configuring the priority of packages in a connection group
Package precedence is configured using the package list order. The first package in the document has the highest precedence. Subsequent packages in the list have descending priority.
Package precedence is the resolution for otherwise inevitable resource collisions during virtual environment initialization. For example, if two packages that are opening in the same virtual environment define the same registry DWORD value, the package with the highest precedence determines the value that is set.
You can use the connection group file to configure each connection group by using the following methods:
- Specify runtime priorities for connection groups. To edit priority by using the App-V Management Console, click the connection group and then click **Edit**.
**Note**  
Priority is required only if the package is associated with more than one connection group.
 
- Specify package precedence within the connection group.
The priority field is required when a running virtual application initiates from a native application request, for example, Microsoft Windows Explorer. The App-V client uses the priority to determine which connection group virtual environment the application should run in. This situation occurs if a virtual application is part of multiple connection groups.
If a virtual application is opened using another virtual application the virtual environment of the original virtual application will be used. The priority field is not used in this case.
**Example:**
The virtual application Microsoft Outlook is running in virtual environment **XYZ**. When you open an attached Microsoft Word document, a virtualized version Microsoft Word opens in the virtual environment **XYZ**, regardless of the virtualized Microsoft Words associated connection groups or runtime priorities.
## <a href="" id="bkmk-va-conn-configs"></a>Supported virtual application connection configurations
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Configuration</th>
<th align="left">Example scenario</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>An. exe file and plug-in (.dll)</p></td>
<td align="left"><ul>
<li><p>You want to distribute Microsoft Office to all users, but distribute a Microsoft Excel plug-in to only a subset of users.</p></li>
<li><p>Enable the connection group for the appropriate users.</p></li>
<li><p>Update each package individually as required.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>An. exe file and a middleware application</p></td>
<td align="left"><ul>
<li><p>You have an application requires a middleware application, or several applications that all depend on the same middleware runtime version.</p></li>
<li><p>All computers that require one or more of the applications receive the connection groups with the application and middleware application runtime.</p></li>
<li><p>You can optionally combine multiple middleware applications into a single connection group.</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Example</th>
<th align="left">Example description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Virtual application connection group for the financial division</p></td>
<td align="left"><ul>
<li><p>Middleware application 1</p></li>
<li><p>Middleware application 2</p></li>
<li><p>Middleware application 3</p></li>
<li><p>Middleware application runtime</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Virtual application connection group for HR division</p></td>
<td align="left"><ul>
<li><p>Middleware application 5</p></li>
<li><p>Middleware application 6</p></li>
<li><p>Middleware application runtime</p></li>
</ul></td>
</tr>
</tbody>
</table>
<p> </p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>An. exe file and an .exe file</p></td>
<td align="left"><p>You have an application that relies on another application, and you want to keep the packages separate for operational efficiencies, licensing restrictions, or rollout timelines.</p>
<p><strong>Example:</strong></p>
<p>If you are deploying Microsoft Lync 2010, you can use three packages:</p>
<ul>
<li><p>Microsoft Office 2010</p></li>
<li><p>Microsoft Communicator 2007</p></li>
<li><p>Microsoft Lync 2010</p></li>
</ul>
<p>You can manage the deployment using the following connection groups:</p>
<ul>
<li><p>Microsoft Office 2010 and Microsoft Communicator 2007</p></li>
<li><p>Microsoft Office 2010 and Microsoft Lync 2010</p></li>
</ul>
<p>When the deployment has completed, you can either create a single new Microsoft Office 2010 + Microsoft Lync 2010 package, or keep and maintain them as separate packages and deploy them by using a connection group.</p></td>
</tr>
</tbody>
</table>
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)

109
windows/manage/appv-connection-group-virtual-environment.md Normal file
View File

@ -0,0 +1,109 @@
---
title: About the Connection Group Virtual Environment (Windows 10)
description: About the Connection Group Virtual Environment
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# About the Connection Group Virtual Environment
**In this topic:**
- [How package priority is determined](#bkmk-pkg-priority-deter)
- [Merging identical package paths into one virtual directory in connection groups](#bkmk-merged-root-ve-exp)
## <a href="" id="bkmk-pkg-priority-deter"></a>How package priority is determined
The virtual environment and its current state are associated with the connection group, not with the individual packages. If an App-V package is removed from the connection group, the state that existed as part of the connection group will not migrate with the package.
If the same package is a part of two different connection groups, you have to indicate which connection group App-V should use. For example, you might have two packages in a connection group that each define the same registry DWORD value.
The connection group that is used is based on the order in which a package appears inside the **AppConnectionGroup** XML document:
- The first package has the highest precedence.
- The second package has the second highest precedence.
Consider the following example section:
``` syntax
<appv:Packages><appv:PackagePackageId="A8731008-4523-4713-83A4-CD1363907160"VersionId="E889951B-7F30-418B-A69C-B37283BC0DB9"/><appv:PackagePackageId="1DC709C8-309F-4AB4-BD47-F75926D04276"VersionId="01F1943B-C778-40AD-BFAD-AC34A695DF3C"/><appv:PackagePackageId="04220DCA-EE77-42BE-A9F5-96FD8E8593F2"VersionId="E15EFFE9-043D-4C01-BC52-AD2BD1E8BAFA"/></appv:Packages>
```
Assume that same DWORD value ABC (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region) is defined in the first and third package, such as:
- Package 1 (A8731008-4523-4713-83A4-CD1363907160): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5
- Package 3 (04220DCA-EE77-42BE-A9F5-96FD8E8593F2): HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=10
Since Package 1 appears first, the AppConnectionGroup's virtual environment will have the single DWORD value of 5 (HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region=5). This means that the virtual applications in Package 1, Package 2, and Package 3 will all see the value 5 when they query for HKEY\_LOCAL\_MACHINE\\software\\contoso\\finapp\\region.
Other virtual environment resources are resolved similarly, but the usual case is that the collisions occur in the registry.
## <a href="" id="bkmk-merged-root-ve-exp"></a>Merging identical package paths into one virtual directory in connection groups
If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group virtual environment. This merging of paths allows an application in one package to access files that are in a different package.
When you remove a package from a connection group, the applications in that removed package are no longer able to access files in the remaining packages in the connection group.
The order in which App-V looks up a files name in the connection group is specified by the order in which the App-V packages are listed in the connection group manifest file.
The following example shows the order and relationship of a file name lookup in a connection group for **Package A** and **Package B**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Package A</th>
<th align="left">Package B</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>C:\Windows\System32</p></td>
<td align="left"><p>C:\Windows\System32</p></td>
</tr>
<tr class="even">
<td align="left"><p>C:\AppTest</p></td>
<td align="left"><p>C:\AppTest</p></td>
</tr>
</tbody>
</table>
 
In the example above, when a virtualized application tries to find a specific file, Package A is searched first for a matching file path. If a matching path is not found, Package B is searched, using the following mapping rules:
- If a file named **test.txt** exists in the same virtual folder hierarchy in both application packages, the first matching file is used.
- If a file named **bar.txt** exists in the virtual folder hierarchy of one application package, but not in the other, the first matching file is used.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)
 
 

61
windows/manage/appv-convert-a-package-created-in-a-previous-version-of-appv.md Normal file
View File

@ -0,0 +1,61 @@
---
title: How to Convert a Package Created in a Previous Version of App-V (Windows 10)
description: How to Convert a Package Created in a Previous Version of App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Convert a Package Created in a Previous Version of App-V
You can use the package converter utility to upgrade virtual application packages that have been created with previous versions of App-V.
> [!NOTE]
> If you are running a computer with a 64-bit architecture, you must use the x86 version of Windows PowerShell.
The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or later. Packages that were created using a version prior to App-V 4.5 must be upgraded to at least App-V 4.5 before conversion.
The following information provides direction for converting existing virtual application packages.
> [!IMPORTANT]
> You must configure the package converter to always save the package ingredients file to a secure location and directory. A secure location is accessible only by an administrator. Additionally, when you deploy the package, you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion process.
## App-V 4.6 installation folder is redirected to virtual file system root
When you convert packages from App-V 4.6 to App-V for Windows 10, the App-V for Windows 10 package can access the hardcoded drive that you were required to use when you created 4.6 packages. The drive letter will be the drive you selected as the installation drive on the 4.6 sequencing machine. (The default drive letter is Q:\\.)
**Technical Details:** The App-V package converter will save the App-V 4.6 installation root folder and short folder names in the FilesystemMetadata.xml file in the Filesystem element. When the App-V for Windows 10 client creates the virtual process, it will map requests from the App-V 4.6 installation root to the virtual file system root.
## Getting started
1. Install the App-V Sequencer on a computer in your environment. For information about how to install the Sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
2. The following cmdlets are available:
- **Test-AppvLegacyPackage** This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, type `Test-AppvLegacyPackage -?`.
- **ConvertFrom-AppvLegacyPackage** To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used.
Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
> [!NOTE]
> Before you specify the output directory, you must create the output directory.
### Advanced Conversion Tips
- Piping - Windows PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V client.
- Batching - The Windows PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
- Other functionality - Windows PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in Windows PowerShell and can help you create advanced scenarios for the Package Converter.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Operations for App-V](appv-operations.md)

82
windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md Normal file
View File

@ -0,0 +1,82 @@
---
title: How to Create a Connection Group with User-Published and Globally Published Packages (Windows 10)
description: How to Create a Connection Group with User-Published and Globally Published Packages
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Connection Group with User-Published and Globally Published Packages
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
- [How to use PowerShell cmdlets to create the user-entitled connection groups](#bkmk-posh-userentitled-cg)
- [How to use the App-V Server to create the user-entitled connection groups](#bkmk-appvserver-userentitled-cg)
**What to know before you start:**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Unsupported scenarios and potential issues</th>
<th align="left">Result</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>You cannot include user-published packages in globally entitled connection groups.</p></td>
<td align="left"><p>The connection group will fail.</p></td>
</tr>
<tr class="even">
<td align="left"><p>If you publish a package globally and then create a user-published connection group in which youve made that package non-optional, you can still run <strong>Unpublish-AppvClientPackage &lt;package&gt; -global</strong> to unpublish the package, even when that package is being used in another connection group.</p></td>
<td align="left"><p>If any other connection groups are using that package, the package will fail in those connection groups.</p>
<p>To avoid inadvertently unpublishing a non-optional package that is being used in another connection group, we recommend that you track the connection groups in which youve used a non-optional package.</p></td>
</tr>
</tbody>
</table>
 
**How to use PowerShell cmdlets to create user-entitled connection groups**
1. Add and publish packages by using the following commands:
**Add-AppvClientPackage Pacakage1\_AppV\_file\_Path**
**Add-AppvClientPackage Pacakage2\_AppV\_file\_Path**
**Publish-AppvClientPackage -PackageId Package1\_ID -VersionId Package1\_Version ID -Global**
**Publish-AppvClientPackage -PackageId Package2\_ID -VersionId Package2\_ID**
2. Create the connection group XML file. For more information, see [About the Connection Group File](appv-connection-group-file.md).
3. Add and publish the connection group by using the following commands:
**Add-AppvClientConnectionGroup Connection\_Group\_XML\_file\_Path**
**Enable-AppvClientConnectionGroup  -GroupId CG\_Group\_ID -VersionId CG\_Version\_ID**
**How to use the App-V Server to create user-entitled connection groups**
1. Open the App-V Management Console.
2. Follow the instructions in [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md) to publish packages globally and to the user.
3. Follow the instructions in [How to Create a Connection Group](appv-create-a-connection-group.md) to create the connection group, and add the user-published and globally published packages.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Managing Connection Groups](appv-managing-connection-groups.md)

58
windows/manage/appv-create-a-connection-group.md Normal file
View File

@ -0,0 +1,58 @@
---
title: How to Create a Connection Group (Windows 10)
description: How to Create a Connection Group
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Connection Group
Use these steps to create a connection group by using the App-V Management Console. To use PowerShell to create connection groups, see [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md).
When you place packages in a connection group, their package root paths are merged. If you remove packages, only the remaining packages maintain the merged root.
**To create a connection group**
1. In the App-V Management Console, select **CONNECTION GROUPS** to display the Connection Groups library.
2. Select **ADD CONNECTION GROUP** to create a new connection group.
3. In the **New Connection Group** pane, type a description for the group.
4. Click **EDIT** in the **CONNECTED PACKAGES** pane to add a new application to the connection group.
5. In the **PACKAGES Entire Library** pane, select the application to be added, and click the arrow to add the application.
To remove an application, select the application to be removed in the **PACKAGES IN** pane and click the arrow.
To reprioritize the applications in your connection group, use the arrows in the **PACKAGES IN** pane.
**Important**  
By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane.
 
6. After adding all the applications and configuring Active Directory access, click **Apply**.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
[Managing Connection Groups](appv-managing-connection-groups.md)
 
 

48
windows/manage/appv-create-a-custom-configuration-file-with-the-management-console.md Normal file
View File

@ -0,0 +1,48 @@
---
title: How to Create a Custom Configuration File by Using the App-V Management Console (Windows 10)
description: How to Create a Custom Configuration File by Using the App-V Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Custom Configuration File by Using the App-V Management Console
You can use a dynamic configuration to customize an App-V package for a specific user. However, you must first create the dynamic user configuration (.xml) file or the dynamic deployment configuration file before you can use the files. Creation of the file is an advanced manual operation. For general information about dynamic user configuration files, see, [About App-V Dynamic Configuration](appv-dynamic-configuration.md).
Use the following procedure to create a Dynamic User Configuration file by using the App-V Management console.
**To create a Dynamic User Configuration file**
1. Right-click the name of the package that you want to view and select **Edit active directory access** to view the configuration that is assigned to a given user group. Alternatively, select the package, and click **Edit**.
2. Using the list of **AD Entities with Access**, select the AD group that you want to customize. Select **Custom** from the drop-down list, if it is not already selected. A link named **Edit** will be displayed.
3. Click **Edit**. The Dynamic User Configuration that is assigned to the AD Group will be displayed.
4. Click **Advanced**, and then click **Export Configuration**. Type in a filename and click **Save**. Now you can edit the file to configure a package for a user.
**Note**  
To export a configuration while running on Windows Server, you must disable "IE Enhanced Security Configuration". If this is enabled and set to block downloads, you cannot download anything from the App-V Server.
 
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

55
windows/manage/appv-create-a-package-accelerator-with-powershell.md Normal file
View File

@ -0,0 +1,55 @@
---
title: How to Create a Package Accelerator by Using PowerShell (Windows 10)
description: How to Create a Package Accelerator by Using PowerShell
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Package Accelerator by Using PowerShell
App-V package accelerators automatically sequence large, complex applications. Additionally, when you apply an App-V package accelerator, you are not always required to manually install an application to create the virtualized package.
**To create a package accelerator**
1. Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md).
2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. Use the **New-AppvPackageAccelerator** cmdlet.
3. To create a package accelerator, make sure that you have the .appv package to create an accelerator from, the installation media or installation files, and optionally a read me file for consumers of the accelerator to use. The following parameters are required to use the package accelerator cmdlet:
- **InstalledFilesPath** - specifies the application installation path.
- **Installer** specifies the path to the application installer media
- **InputPackagePath** specifies the path to the .appv package
- **Path** specifies the output directory for the package.
The following example displays how you can create a package accelerator with an .appv package and the installation media:
**New-AppvPackageAccelerator -InputPackagePath &lt;path to the .appv file&gt; -Installer &lt;path to the installer executable&gt; -Path &lt;directory of the output path&gt;**
Additional optional parameters that can be used with the **New-AppvPackageAccelerator** cmdlet are displayed in the following list:
- **AcceleratorDescriptionFile** - specifies the path to user created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be packaged with the package created using the package accelerator.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Administering App-V by Using PowerShell](appv-administering-appv-with-powershell.md)
 
 

107
windows/manage/appv-create-a-package-accelerator.md Normal file
View File

@ -0,0 +1,107 @@
---
title: How to Create a Package Accelerator (Windows 10)
description: How to Create a Package Accelerator
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Package Accelerator
App-V package accelerators automatically generate new virtual application packages.
**Note**  
You can use PowerShell to create a package accelerator. For more information see [How to Create a Package Accelerator by Using PowerShell](appv-create-a-package-accelerator-with-powershell.md).
 
Use the following procedure to create a package accelerator.
**Important**  
Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
 
**Important**  
Before you begin the following procedure, you should perform the following:
- Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer.
- Copy all required installation files associated with the virtual application package to the computer running the sequencer.
 
**To create a package accelerator**
1. **Important**  
The App-V Sequencer does not grant any license rights to the software application you are using to create the Package Accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software applications license terms allow you to create a Package Accelerator using App-V Sequencer.
 
To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. To start the App-V **Create Package Accelerator** wizard, in the App-V sequencer console, click **Tools** / **Create Accelerator**.
3. On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
**Tip**  
Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
 
Click **Next**.
4. On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
**Tip**  
Copy the folder that contains the required installation files to the computer running the Sequencer.
 
5. If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
6. On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
**Note**  
You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
7. On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
8. On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
9. On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
10. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
11. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**.
**Important**  
To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
 
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
[How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
 
 

101
windows/manage/appv-create-a-virtual-application-package-package-accelerator.md Normal file
View File

@ -0,0 +1,101 @@
---
title: How to Create a Virtual Application Package Using an App-V Package Accelerator (Windows 10)
description: How to Create a Virtual Application Package Using an App-V Package Accelerator
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create a Virtual Application Package Using an App-V Package Accelerator
**Important**  
The App-V Sequencer does not grant any license rights to the software application that you use to create the Package Accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software applications license terms allow you to create a Package Accelerator with the App-V Sequencer.
 
Use the following procedure to create a virtual application package with the App-V Package Accelerator.
**Note**  
Before you start this procedure, copy the required Package Accelerator locally to the computer that runs the App-V Sequencer. You should also copy all required installation files for the package to a local directory on the computer that runs the Sequencer. This is the directory that you have to specify in step 5 of this procedure.
 
**To create a virtual application package with an App-V Package Accelerator**
1. To start the App-V Sequencer, on the computer that runs the App-V Sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. To start the **Create New Package Wizard**, click **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, and then click **Next**.
3. To specify the package accelerator that will be used to create the new virtual application package, click **Browse** on the **Select Package Accelerator** page. Click **Next**.
**Important**  
If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you click **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box.
 
4. On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the Package Accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
5. On the **Select Installation Files** page, click **Make New Folder** to create a local folder that contains all required installation files for the package, and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer that runs the Sequencer, click **Browse** to select the folder.
Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
**Note**  
You can specify the following types of supported installation files:
- Windows Installer files (**.msi**)
- Cabinet files (.cab)
- Compressed files with a .zip file name extension
- The actual application files
The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually.
 
If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
6. On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
7. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
To create the package, click **Create**. After the package is created, click **Next**.
8. On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
- **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
- **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
- **Save Package**. The Sequencer saves the package.
- **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
9. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md).
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

70
windows/manage/appv-create-and-use-a-project-template.md Normal file
View File

@ -0,0 +1,70 @@
---
title: How to Create and Use a Project Template (Windows 10)
description: How to Create and Use a Project Template
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Create and Use a Project Template
You can use an App-V project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages.
**Note**  
You can, and often should apply an App-V project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application.
 
App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications.
Use the following procedures to create and apply a new template.
**To create a project template**
1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. **Note**  
If the virtual application package is currently open in the App-V Sequencer console, skip to step 3 of this procedure.
 
To open the existing virtual application package that contains the settings you want to save with the App-V project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
3. In the App-V Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V project template. Click Save.
The new App-V project template is saved in the directory specified in step 3 of this procedure.
**To apply a project template**
1. **Important**  
Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported.
 
To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
2. To create or upgrade a new virtual application package by using an App-V project template, click **File** / **New From Template**.
3. To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**.
Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

211
windows/manage/appv-creating-and-managing-virtualized-applications.md Normal file
View File

@ -0,0 +1,211 @@
---
title: Creating and Managing App-V Virtualized Applications (Windows 10)
description: Creating and Managing App-V Virtualized Applications
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Creating and Managing App-V Virtualized Applications
After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application.
**Note**  
For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
**Note**
The App-V Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
## Sequencing an application
You can use the App-V Sequencer to perform the following tasks:
- Create virtual packages that can be deployed to computers running the App-V client.
- Upgrade existing packages. You can expand an existing package onto the computer running the sequencer and then upgrade the application to create a newer version.
- Edit configuration information associated with an existing package. For example, you can add a shortcut or modify a file type association.
**Note**  
You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V client.
 
- Convert existing virtual packages.
The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing.
When you use the sequencer to create a new virtual application, the following listed files are created. These files comprise the App-V package.
- .msi file. This Windows Installer (.msi) file is created by the sequencer and is used to install the virtual package on target computers.
- Report.xml file. In this file, the sequencer saves all issues, warnings, and errors that were discovered during sequencing. It displays the information after the package has been created. You can us this report for diagnosing and troubleshooting.
- .appv file. This is the virtual application file.
- Deployment configuration file. The deployment configuration file determines how the virtual application will be deployed to target computers.
- User configuration file. The user configuration file determines how the virtual application will run on target computers.
**Important**  
You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process. 
The **Options** dialog box in the sequencer console contains the following tabs:
- **General**. Use this tab to enable Microsoft Updates to run during sequencing. Select **Append Package Version to Filename** to configure the sequence to add a version number to the virtualized package that is being sequenced. Select **Always trust the source of Package Accelerators** to create virtualized packages using a package accelerator without being prompted for authorization.
**Important**  
Package Accelerators created using App-V 4.6 are not supported by App-V.  
- **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**.
- **Exclusion Items**. Use this tab to specify which folders and directories should not be monitored during sequencing. To add local application data that is saved in the Local App Data folder in the package, click **New** and specify the location and the associated **Mapping Type**. This option is required for some packages.
App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the Service will be included in the sequenced virtual package as long as it is installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then later, after installation, the application must be run while the sequencer is monitoring so that the Windows Service will be added to the package. Only Services that run under the Local System account are supported. Services that are configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the packages Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call.
[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md)
## <a href="" id="---------app-v-5-1-shell-extension-support"></a> App-V shell extension support
App-V supports shell extensions. Shell extensions will be detected and embedded in the package during sequencing.
Shell extensions are embedded in the package automatically during the sequencing process. When the package is published, the shell extension gives users the same functionality as if the application were locally installed.
**Requirements for using shell extensions:**
- Packages that contain embedded shell extensions must be published globally. The application requires no additional setup or configuration on the client to enable the shell extension functionality.
- The “bitness” of the application, Sequencer, and App-V client must match, or the shell extensions wont work. For example:
- The version of the application is 64-bit.
- The Sequencer is running on a 64-bit computer.
- The package is being delivered to a 64-bit App-V client computer.
The following table lists the supported shell extensions:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Handler</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Context menu handler</p></td>
<td align="left"><p>Adds menu items to the context menu. It is called before the context menu is displayed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Drag-and-drop handler</p></td>
<td align="left"><p>Controls the action where right-click, drag and drop and modifies the context menu that appears.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Drop target handler</p></td>
<td align="left"><p>Controls the action after a data object is dragged and dropped over a drop target such as a file.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Data object handler</p></td>
<td align="left"><p>Controls the action after a file is copied to the clipboard or dragged and dropped over a drop target. It can provide additional clipboard formats to the drop target.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Property sheet handler</p></td>
<td align="left"><p>Replaces or adds pages to the property sheet dialog box of an object.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Infotip handler</p></td>
<td align="left"><p>Allows retrieving flags and infotip information for an item and displaying it inside a pop-up tooltip upon mouse hover.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Column handler</p></td>
<td align="left"><p>Allows creating and displaying custom columns in <strong>Windows Explorer Details view</strong>. It can be used to extend sorting and grouping.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Preview handler</p></td>
<td align="left"><p>Enables a preview of a file to be displayed in the Windows Explorer Preview pane.</p></td>
</tr>
</tbody>
</table>
## Copy on Write (CoW) file extension support
Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
| File Type | | | | | |
|------------ |------------- |------------- |------------ |------------ |------------ |
| .acm | .asa | .asp | .aspx | .ax | .bat |
| .cer | .chm | .clb | .cmd | .cnt | .cnv |
| .com | .cpl | .cpx | .crt | .dll | .drv |
| .esc | .exe | .fon | .grp | .hlp | .hta |
| .ime | .inf | .ins | .isp | .its | .js |
| .jse | .lnk | .msc | .msi | .msp | .mst |
| .mui | .nls | .ocx | .pal | .pcd | .pif |
| .reg | .scf | .scr | .sct | .shb | .shs |
| .sys | .tlb | .tsp | .url | .vb | .vbe |
| .vbs | .vsmacros | .ws | .wsf | .wsh | |
## Modifying an existing virtual application package
You can use the sequencer to modify an existing package. The computer on which you do this should match the chip architecture of the computer you used to create the application. For example, if you initially sequenced a package using a computer running a 64-bit operating system, you should modify the package using a computer running a 64-bit operating system.
[How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md)
## Creating a project template
A .appvt file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings.
App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template:
A template can specify and store multiple settings as follows:
- **Advanced Monitoring Options**. Enables Microsoft Update to run during monitoring. Saves allow local interaction option settings
- **General Options**. Enables the use of **Windows Installer**, **Append Package Version to Filename**.
- **Exclusion Items.** Contains the Exclusion pattern list.
[How to Create and Use a Project Template](appv-create-and-use-a-project-template.md)
## Creating a package accelerator
**Note**  
Package accelerators created using a previous version of App-V must be recreated using App-V.
You can use App-V package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator.
In some situations, to create the package accelerator, you might have to install the application locally on the computer that runs the sequencer. In such cases, you should first try to create the package accelerator with the installation media. If multiple missing files are required, you should install the application locally to the computer that runs the sequencer, and then create the package accelerator.
After you have successfully created a Package Accelerator, you can reuse and share the Package Accelerator. Creating App-V Package Accelerators is an advanced task. Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V Package Accelerator is applied.
[How to Create a Package Accelerator](appv-create-a-package-accelerator.md)
[How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md)
## Sequencer error reporting
The App-V Sequencer can detect common sequencing issues during sequencing. The **Installation Report** page at the end of the sequencing wizard displays diagnostic messages categorized into **Errors**, **Warnings**, and **Info** depending on the severity of the issue.
You can also find additional information about sequencing errors using the Windows Event Viewer.
## <a href="" id="other-resources-for-the-app-v-5-1-sequencer-"></a>Other resources for the App-V sequencer
- [Operations for App-V](appv-operations.md)

45
windows/manage/appv-customize-virtual-application-extensions-with-the-management-console.md Normal file
View File

@ -0,0 +1,45 @@
---
title: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console (Windows 10)
description: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
Use the following procedure to customize the virtual application extensions for an Active Directory (AD) group.
**To customize virtual applications extensions for an AD group**
1. To view the package that you want to configure, open the App-V Management Console. To view the configuration that is assigned to a given user group, select the package, and right-click the package name and select **Edit active directory access**. Alternatively, select the package and click **EDIT** in the **AD ACCESS** pane.
2. To customize an AD group, you can find the group from the list of **AD Entities with Access**. Then, using the drop-down box in the **Assigned Configuration** pane, select **Custom**, and then click **EDIT**.
3. To disable all extensions for a given application, clear **ENABLE**.
To add a new shortcut for the selected application, right-click the application in the **SHORTCUTS** pane, and select **Add new shortcut**. To remove a shortcut, right-click the application in the **SHORTCUTS** pane, and select **Remove Shortcut**. To edit an existing shortcut, right-click the application, and select **Edit Shortcut**.
4. To view any other application extensions, click **Advanced**, and click **Export Configuration**. Type in a filename and click **Save**. You can view all application extensions that are associated with the package using the configuration file.
5. To edit additional application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog, click **Overwrite** to complete the process.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

39
windows/manage/appv-delete-a-connection-group.md Normal file
View File

@ -0,0 +1,39 @@
---
title: How to Delete a Connection Group (Windows 10)
description: How to Delete a Connection Group
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Delete a Connection Group
Use the following procedure to delete an existing App-V connection group.
**To delete a connection group**
1. Open the App-V Management Console and select **CONNECTION GROUPS**.
2. Right-click the connection group to be removed, and select **delete**.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
[Managing Connection Groups](appv-managing-connection-groups.md)
 
 

37
windows/manage/appv-delete-a-package-with-the-management-console.md Normal file
View File

@ -0,0 +1,37 @@
---
title: How to Delete a Package in the Management Console (Windows 10)
description: How to Delete a Package in the Management Console
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Delete a Package in the Management Console
Use the following procedure to delete an App-V package.
**To delete a package in the Management Console**
1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed.
2. Click or right-click the package. Select **Delete** to remove the package.
**Have a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
[Operations for App-V](appv-operations.md)
 
 

183
windows/manage/appv-deploy-appv-databases-with-sql-scripts.md Normal file
View File

@ -0,0 +1,183 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
description: How to Deploy the App-V Databases by Using SQL Scripts
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Deploy the App-V Databases by Using SQL Scripts
Use the following instructions to use SQL scripts, rather than the Windows Installer, to:
- Install the App-V databases
- Upgrade the App-V databases to a later version
> [!NOTE]
> If you have already deployed an App-V 5.0 SP3 database or later, the SQL scripts are not required to upgrade to App-V.
## How to install the App-V databases by using SQL scripts
1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
Example: appv\_server\_setup.exe /layout c:\\_<temporary location path>_
4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate readme.txt file for instructions:
| Database | Location of readme.txt file to use
| - | - |
| Management database | ManagementDatabase subfolder |
| Reporting database | ReportingDatabase subfolder |
> [!CAUTION]
> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
> [!IMPORTANT]
> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
> The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
### Updated management database README file content
``` syntax
***********************************************************************************************************
Before you install and use the Application Virtualization Database Scripts, you must:
- Review the license terms.
- Print and retain a copy of the license terms for your records.
By running the App-V you agree to such license terms. If you do not accept them, do not use the software.
***********************************************************************************************************
Steps to install "AppVManagement" schema in SQL SERVER.
## PREREQUISITES:
1. Review the installation package. The following files MUST exist:
SQL files
---------
Database.sql
CreateTables.sql
CreateStoredProcs.sql
UpdateTables.sql
Permissions.sql
2. Ensure the target SQL Server instance and SQL Server Agent service are running.
3. If you are not running the scripts directly on the server, ensure the
necessary SQL Server client software is installed and available from
the specified location. Specifically, the "osql" command must be supported for these scripts to run.
## PREPARATION:
1. Review the database.sql file and modify as necessary. Although the
defaults are likely sufficient, it is suggested that the following
settings be reviewed:
DATABASE - ensure name is satisfactory - default is "AppVManagement".
2. Review the Permissions.sql file and provide all the necessary account information
for setting up read and write access on the database. Note: Default settings in the file will not work.
## INSTALLATION:
1. Run the database.sql against the "master" database. Your user
credential must have the ability to create databases.
This script will create the database.
2. Run the following scripts against the "AppVManagement" database using the
same account as above in order.
CreateTables.sql
CreateStoredProcs.sql
UpdateTables.sql
Permissions.sql
```
### Updated reporting database README file content
``` syntax
***********************************************************************************************************
Before you install and use the Application Virtualization Database Scripts, you must:
- Review the license terms.
- Print and retain a copy of the license terms for your records.
By running the App-V you agree to such license terms. If you do not accept them, do not use the software.
***********************************************************************************************************
Steps to install "AppVReporting" schema in SQL SERVER.
## PREREQUISITES:
1. Review the installation package. The following files MUST exist:
SQL files
---------
Database.sql
UpgradeDatabase.sql
CreateTables.sql
CreateReportingStoredProcs.sql
CreateStoredProcs.sql
CreateViews.sql
Permissions.sql
ScheduleReportingJob.sql
2. Ensure the target SQL Server instance and SQL Server Agent service are running.
3. If you are not running the scripts directly on the server, ensure the
necessary SQL Server client software is installed and executable from
the location you have chosen. Specifically, the "osql" command must be supported for these scripts to run.
## PREPARATION:
1. Review the database.sql file and modify as necessary. Although the
defaults are likely sufficient, it is suggested that the following
settings be reviewed:
DATABASE - ensure name is satisfactory - default is "AppVReporting".
2. Review the Permissions.sql file and provide all the necessary account information
for setting up read and write access on the database. Note: Default settings
in the file will not work.
3. Review the ScheduleReportingJob.sql file and make sure that the stored proc schedule
time is acceptable. The default stored proc schedule time is at 12.01 AM (line 84).
If this time is not suitable, you can change this to a more suitable time. The time is in the format HHMMSS.
## INSTALLATION:
1. Run the database.sql against the "master" database. Your user
credential must have the ability to create databases.
This script will create the database.
2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema.
2. Run the following scripts against the "AppVReporting" database using the
same account as above in order.
CreateTables.sql
CreateReportingStoredProcs.sql
CreateStoredProcs.sql
CreateViews.sql
Permissions.sql
ScheduleReportingJob.sql
```
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
- [How to Deploy the App-V Server](appv-deploy-the-appv-server.md)

41
windows/manage/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md Normal file
View File

@ -0,0 +1,41 @@
---
title: How to deploy App-V Packages Using Electronic Software Distribution (Windows 10)
description: How to deploy App-V Packages Using Electronic Software Distribution
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to deploy App-V packages using electronic software distribution
You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
For component requirements and options for using an ESD to deploy App-V packages, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
Use one of the following methods to publish packages to App-V client computers with an ESD:
| Method | Description |
| - | - |
| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.|
| Stand-alone Windows Installer | Install the application on the target client computer by using the associated Windows Installer (.msi) file that is created when you initially sequence an application. The Windows Installer file contains the associated App-V package file information used to configure a package and copies the required package files to the client. |
| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).|
 
**To deploy App-V packages by using an ESD**
1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
2. Use the App-V Sequencer to create virtual application. For information about creating a virtual application, see [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md).
3. After you create the virtual application, deploy the package by using your ESD solution.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Operations for App-V](appv-operations.md)

789
windows/manage/appv-deploy-the-appv-server-with-a-script.md Normal file
View File

@ -0,0 +1,789 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
description: How to Deploy the App-V Server Using a Script
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Deploy the App-V Server Using a Script
In order to complete the **appv\_server\_setup.exe** Server setup successfully using the command line, you must specify and combine multiple parameters.
**To Install the App-V server using a script**
- Use the following tables for more information about installing the App-V server using the command line.
**Note**  
The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
 
**Common parameters and Examples**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Management server and Management database on a local machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/MANAGEMENT_SERVER</p>
<p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
<p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
<p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
<p>/DB_PREDEPLOY_MANAGEMENT</p>
<p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/MANAGEMENT_DB_NAME=”AppVManagement”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Management server using an existing Management database on a local machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/MANAGEMENT_SERVER</p>
<p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
<p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
<p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
<p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p>
<p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”</p>
<p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To install the Management server using an existing Management database on a remote machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/MANAGEMENT_SERVER</p></li>
<li><p>/MANAGEMENT_ADMINACCOUNT</p></li>
<li><p>/MANAGEMENT_WEBSITE_NAME</p></li>
<li><p>/MANAGEMENT_WEBSITE_PORT</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/EXISTING_MANAGEMENT_DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/MANAGEMENT_SERVER</p>
<p>/MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”</p>
<p>/MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”</p>
<p>/MANAGEMENT_WEBSITE_PORT=”8080”</p>
<p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”</p>
<p>/EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”</p>
<p>/EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Management database and the Management Server on the same computer.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
<li><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></li>
<li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
<li><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></li>
<li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/DB_PREDEPLOY_MANAGEMENT</p>
<p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/MANAGEMENT_DB_NAME=”AppVManagement”</p>
<p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p>
<p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To install the Management database on a different computer than the Management server.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
<li><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
<li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_MANAGEMENT</p></li>
<li><p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/MANAGEMENT_DB_NAME</p></li>
<li><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
<li><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/DB_PREDEPLOY_MANAGEMENT</p>
<p>/MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/MANAGEMENT_DB_NAME=”AppVManagement”</p>
<p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”</p>
<p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the publishing server.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/PUBLISHING_SERVER</p></li>
<li><p>/PUBLISHING_MGT_SERVER</p></li>
<li><p>/PUBLISHING_WEBSITE_NAME</p></li>
<li><p>/PUBLISHING_WEBSITE_PORT</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/PUBLISHING_SERVER</p>
<p>/PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”</p>
<p>/PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”</p>
<p>/PUBLISHING_WEBSITE_PORT=”8081”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Reporting server and Reporting database on a local machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _ADMINACCOUNT</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<ul>
<li><p>/appv_server_setup.exe /QUIET</p></li>
<li><p>/REPORTING_SERVER</p></li>
<li><p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p></li>
<li><p>/REPORTING_WEBSITE_PORT=”8082”</p></li>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p></li>
<li><p>/REPORTING_DB_NAME=”AppVReporting”</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Reporting server and using an existing Reporting database on a local machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></li>
<li><p>/EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/EXISTING_REPORTING _DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _ADMINACCOUNT</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></li>
<li><p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/EXISTING_REPORTING _DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/REPORTING_SERVER</p>
<p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p>
<p>/REPORTING_WEBSITE_PORT=”8082”</p>
<p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p>
<p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/EXITING_REPORTING_DB_NAME=”AppVReporting”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To Install the Reporting server using an existing Reporting database on a remote machine.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></li>
<li><p>/EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/EXISTING_REPORTING _DB_NAME</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/REPORTING _SERVER</p></li>
<li><p>/REPORTING _ADMINACCOUNT</p></li>
<li><p>/REPORTING _WEBSITE_NAME</p></li>
<li><p>/REPORTING _WEBSITE_PORT</p></li>
<li><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></li>
<li><p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/EXISTING_REPORTING _DB_NAME</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/REPORTING_SERVER</p>
<p>/REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”</p>
<p>/REPORTING_WEBSITE_PORT=”8082”</p>
<p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”</p>
<p>/EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/EXITING_REPORTING_DB_NAME=”AppVReporting”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To install the Reporting database on the same computer as the Reporting server.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
<li><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></li>
<li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
<li><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></li>
<li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/DB_PREDEPLOY_REPORTING</p>
<p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/REPORTING_DB_NAME=”AppVReporting”</p>
<p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p>
<p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
</tr>
</tbody>
</table>
 
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p>To install the Reporting database on a different computer than the Reporting server.</p></td>
<td align="left"><p>To use the default instance of Microsoft SQL Server, use the following parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
<li><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
<li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>To use a custom instance of Microsoft SQL Server, use these parameters:</p>
<ul>
<li><p>/DB_PREDEPLOY_REPORTING</p></li>
<li><p>/REPORTING _DB_CUSTOM_SQLINSTANCE</p></li>
<li><p>/REPORTING _DB_NAME</p></li>
<li><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></li>
<li><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></li>
</ul>
<p>Using a custom instance of Microsoft SQL Server example:</p>
<p>/appv_server_setup.exe /QUIET</p>
<p>/DB_PREDEPLOY_REPORTING</p>
<p>/REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”</p>
<p>/REPORTING_DB_NAME=”AppVReporting”</p>
<p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”</p>
<p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”</p></td>
</tr>
</tbody>
</table>
 
**Parameter Definitions**
**General Parameters**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/QUIET</p></td>
<td align="left"><p>Specifies silent install.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/UNINSTALL</p></td>
<td align="left"><p>Specifies an uninstall.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/LAYOUT</p></td>
<td align="left"><p>Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/LAYOUTDIR</p></td>
<td align="left"><p>Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server”</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/INSTALLDIR</p></td>
<td align="left"><p>Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server”</p></td>
</tr>
<tr class="even">
<td align="left"><p>/MUOPTIN</p></td>
<td align="left"><p>Enables Microsoft Update. No value is expected</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/ACCEPTEULA</p></td>
<td align="left"><p>Accepts the license agreement. This is required for an unattended installation. Example usage: <strong>/ACCEPTEULA</strong> or <strong>/ACCEPTEULA=1</strong>.</p></td>
</tr>
</tbody>
</table>
 
**Management Server Installation Parameters**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/MANAGEMENT_SERVER</p></td>
<td align="left"><p>Specifies that the management server will be installed. No value is expected</p></td>
</tr>
<tr class="even">
<td align="left"><p>/MANAGEMENT_ADMINACCOUNT</p></td>
<td align="left"><p>Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: <strong>/MANAGEMENT_ADMINACCOUNT=”mydomain\admin”</strong>. If <strong>/MANAGEMENT_SERVER</strong> is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, <strong>/MANAGEMENT_ADMINACCOUNT=&quot;mydomain\admin&quot;</strong>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/MANAGEMENT_WEBSITE_NAME</p></td>
<td align="left"><p>Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service”</p></td>
</tr>
<tr class="even">
<td align="left"><p>MANAGEMENT_WEBSITE_PORT</p></td>
<td align="left"><p>Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82.</p></td>
</tr>
</tbody>
</table>
 
**Parameters for the Management Server Database**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/DB_PREDEPLOY_MANAGEMENT</p></td>
<td align="left"><p>Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected</p></td>
</tr>
<tr class="even">
<td align="left"><p>/MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></td>
<td align="left"><p>Indicates that the default SQL instance should be used. No value is expected.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE</p></td>
<td align="left"><p>Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: <strong>/MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”</strong>. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/MANAGEMENT_DB_NAME</p></td>
<td align="left"><p>Specifies the name of the new management database that should be created. Example usage: <strong>/MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/MANAGEMENT_SERVER_MACHINE_USE_LOCAL</p></td>
<td align="left"><p>Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT</p></td>
<td align="left"><p>Specifies the machine account of the remote machine that the management server will be installed on. Example usage: <strong>/MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername”</strong></p></td>
</tr>
<tr class="odd">
<td align="left"><p>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT</p></td>
<td align="left"><p>Indicates the Administrator account that will be used to install the management server. Example usage: <strong>/MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias”</strong></p></td>
</tr>
</tbody>
</table>
 
**Parameters for Installing Publishing Server**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/PUBLISHING_SERVER</p></td>
<td align="left"><p>Specifies that the Publishing Server will be installed. No value is expected</p></td>
</tr>
<tr class="even">
<td align="left"><p>/PUBLISHING_MGT_SERVER</p></td>
<td align="left"><p>Specifies the URL to Management Service the Publishing server will connect to. Example usage: <strong>http://&lt;management server name&gt;:&lt;Management server port number&gt;</strong>. If /PUBLISHING_SERVER is not used, this parameter will be ignored</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/PUBLISHING_WEBSITE_NAME</p></td>
<td align="left"><p>Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service”</p></td>
</tr>
<tr class="even">
<td align="left"><p>/PUBLISHING_WEBSITE_PORT</p></td>
<td align="left"><p>Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83</p></td>
</tr>
</tbody>
</table>
 
**Parameters for Reporting Server**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/REPORTING_SERVER</p></td>
<td align="left"><p>Specifies that the Reporting Server will be installed. No value is expected</p></td>
</tr>
<tr class="even">
<td align="left"><p>/REPORTING_WEBSITE_NAME</p></td>
<td align="left"><p>Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME=&quot;Microsoft App-V ReportingService&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/REPORTING_WEBSITE_PORT</p></td>
<td align="left"><p>Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82</p></td>
</tr>
</tbody>
</table>
 
**Parameters for using an Existing Reporting Server Database**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL</p></td>
<td align="left"><p>Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME</p></td>
<td align="left"><p>Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME=&quot;mycomputer1&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT</p></td>
<td align="left"><p>Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE</p></td>
<td align="left"><p>Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE=&quot;MYSQLSERVER&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/EXISTING_ REPORTING _DB_NAME</p></td>
<td align="left"><p>Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISITING_REPORTING_DB_NAME=&quot;AppVReporting&quot;</p></td>
</tr>
</tbody>
</table>
 
**Parameters for installing Reporting Server Database**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/DB_PREDEPLOY_REPORTING</p></td>
<td align="left"><p>Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected</p></td>
</tr>
<tr class="even">
<td align="left"><p>/REPORTING_DB_SQLINSTANCE_USE_DEFAULT</p></td>
<td align="left"><p>Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE=&quot;MYSQLSERVER&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/REPORTING_DB_NAME</p></td>
<td align="left"><p>Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME=&quot;AppVMgmtDB&quot;</p></td>
</tr>
<tr class="even">
<td align="left"><p>/REPORTING_SERVER_MACHINE_USE_LOCAL</p></td>
<td align="left"><p>Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT</p></td>
<td align="left"><p>Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = &quot;domain\computername&quot;</p></td>
</tr>
<tr class="even">
<td align="left"><p>/REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT</p></td>
<td align="left"><p>Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = &quot;domain\alias&quot;</p></td>
</tr>
</tbody>
</table>
 
**Parameters for using an existing Management Server Database**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>/EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL</p></td>
<td align="left"><p>Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME</p></td>
<td align="left"><p>Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME=&quot;mycomputer1&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT</p></td>
<td align="left"><p>Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
</tr>
<tr class="even">
<td align="left"><p>/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE</p></td>
<td align="left"><p>Specifies the name of the custom SQL instance that will be used. Example usage <strong>/EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>/EXISTING_MANAGEMENT_DB_NAME</p></td>
<td align="left"><p>Specifies the name of the existing management database that should be used. Example usage: <strong>/EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”</strong>. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.</p>
<p></p>
<p><strong>Have a suggestion for App-V</strong>? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). <strong>Got an App-V issue?</strong> Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Deploying the App-V Server](appv-deploying-the-appv-server.md)
 
 

116
windows/manage/appv-deploy-the-appv-server.md Normal file
View File

@ -0,0 +1,116 @@
---
title: How to Deploy the App-V Server (Windows 10)
description: How to Deploy the App-V Server
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# How to Deploy the App-V server
Use the following procedure to install the App-V server..
**Before you start:**
- Ensure that youve installed prerequisite software. See [App-V Prerequisites](appv-prerequisites.md).
- Review the server section of [App-V security considerations](appv-security-considerations.md).
- Specify a port where each component will be hosted.
- Add firewall rules to allow incoming requests to access the specified ports.
- If you use SQL scripts, instead of the Windows Installer, to set up the Management database or Reporting database, you must run the SQL scripts before installing the Management Server or Reporting Server. See [How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md).
**To install the App-V server**
1. Copy the App-V server installation files to the computer on which you want to install it.
2. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
3. Review and accept the license terms, and choose whether to enable Microsoft updates.
4. On the **Feature Selection** page, select all of the following components.
| Component | Description |
| - | - |
| Management server | Provides overall management functionality for the App-V infrastructure. |
| Management database | Facilitates database predeployments for App-V management. |
| Publishing server | Provides hosting and streaming functionality for virtual applications. |
| Reporting server | Provides App-V reporting services. |
| Reporting database | Facilitates database predeployments for App-V reporting. |
5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
| Method | What you need to do |
| - | - |
| You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.<br/>Use the format **INSTANCENAME**. The assumed installation location is the local computer.<br/>Not supported: A server name using the format **ServerName**\\**INSTANCE**.|
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
7. On the **Configure** page, accept the default value **Use this local computer**.
> [!NOTE]
> If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
| Method | What you need to do |
| - | - |
| You are using a custom Microsoft SQL Server instance. | Select **Use the custom instance**, and type the name of the instance.<br/>Use the format **INSTANCENAME**. The assumed installation location is the local computer.<br/>Not supported: A server name using the format **ServerName**\\**INSTANCE**.|
| You are using a custom database name. | Select **Custom configuration** and type the database name.<br/>The database name must be unique, or the installation will fail.|
9. On the **Configure** page, accept the default value: **Use this local computer**.
> [!NOTE]
> If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
10. On the **Configure** (Management Server Configuration) page, specify the following:
| Item to configure | Description and examples |
| - | - |
Type the AD group with sufficient permissions to manage the App-V environment. | Example: MyDomain\MyUser<br/>After installation, you can add additional users or groups by using the Management console. However, global security groups and Active Directory Domain Services (AD DS) distribution groups are not supported. You must use <strong>Domain local</strong> or <strong>Universal</strong> groups are required to perform this action.|
| **Website name**: Specify the custom name that will be used to run the publishing service.<br/>If you do not have a custom name, do not make any changes.|
|**Port binding**: Specify a unique port number that will be used by App-V. | Example: **12345**<br/>Ensure that the port specified is not being used by another website. |
11. On the **Configure Publishing Server Configuration** page, specify the following:
| Item to configure | Description and examples |
| - | - |
| Specify the URL for the management service. | Example: http://localhost:12345 |
| **Website name**: Specify the custom name that will be used to run the publishing service.| If you do not have a custom name, do not make any changes. |
| **Port binding**: Specify a unique port number that will be used by App-V. | Example: 54321<br/>Ensure that the port specified is not being used by another website. |
12. On the **Reporting Server** page, specify the following:
| Item to configure | Description and examples |
| - | - |
| **Website name**: Specify the custom name that will be used to run the Reporting Service. | If you do not have a custom name, do not make any changes. |
| **Port binding**: Specify a unique port number that will be used by App-V. | Example: 55555<br/>Ensure that the port specified is not being used by another website. |
13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
14. To verify that the setup completed successfully, open a web browser, and type the following URL:
**http://\<_Management server machine name_\>:\<_Management service port number_\>/console.html**.
Example: **http://localhost:12345/console.html**. If the installation succeeded, the App-V Management console is displayed with no errors.
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related topics
- [Deploying App-V](appv-deploying-appv.md)
- [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](appv-install-the-management-and-reporting-databases-on-separate-computers.md)
- [How to Install the Publishing Server on a Remote Computer](appv-install-the-publishing-server-on-a-remote-computer.md)
- [How to Deploy the App-V Server Using a Script](appv-deploy-the-appv-server-with-a-script.md)

47
windows/manage/appv-deploying-appv.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Deploying App-V (Windows 10)
description: Deploying App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Deploying App-V
App-V supports a number of different deployment options. This section of the App-V Administrators Guide includes information you should consider about the deployment of App-V and step-by-step procedures to help you successfully perform the tasks that you must complete at different stages of your deployment.
## App-V Deployment Information
- [Deploying the App-V Sequencer and Client](appv-deploying-the-appv-sequencer-and-client.md)
This section describes how to install the App-V sequencer which is used to virtualize applications, and the App-V client which runs on target computers to facilitate virtualized packages.
- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
This section provides information about installing the App-V management, publishing, database and reporting severs.
- [App-V Deployment Checklist](appv-deployment-checklist.md)
This section provides a deployment checklist that can be used to assist with installing App-V.
## Other Resources for Deploying App-V
- [Application Virtualization (App-V) overview](appv-for-windows.md)
- [Getting Started with App-V](appv-getting-started.md)
- [Planning for App-V](appv-planning-for-appv.md)
- [Operations for App-V](appv-operations.md)
- [Troubleshooting App-V](appv-troubleshooting.md)
- [Technical Reference for App-V](appv-technical-reference.md)
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

293
windows/manage/appv-deploying-microsoft-office-2010-wth-appv.md Normal file
View File

@ -0,0 +1,293 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
description: Deploying Microsoft Office 2010 by Using App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Deploying Microsoft Office 2010 by Using App-V
You can create Office 2010 packages for Microsoft Application Virtualization (App-V) using one of the following methods:
- Application Virtualization (App-V) Sequencer
- Application Virtualization (App-V) Package Accelerator
## App-V support for Office 2010
The following table shows the App-V versions, methods of Office package creation, supported licensing, and supported deployments for Office 2010.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Supported item</th>
<th align="left">Level of support</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left"><p>Package creation</p></td>
<td align="left"><ul>
<li><p>Sequencing</p></li>
<li><p>Package Accelerator</p></li>
<li><p>Office Deployment Kit</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Supported licensing</p></td>
<td align="left"><p>Volume Licensing</p></td>
</tr>
<tr class="even">
<td align="left"><p>Supported deployments</p></td>
<td align="left"><ul>
<li><p>Desktop</p></li>
<li><p>Personal VDI</p></li>
<li><p>RDS</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## Creating Office 2010 App-V using the sequencer
Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. To create an Office 2010 package on App-V, refer to the following link for detailed instructions:
[How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
## Creating Office 2010 App-V packages using package accelerators
Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10, Windows 8 and Windows 7. To create Office 2010 packages on App-V using Package accelerators, refer to the following pages to access the appropriate package accelerator:
- [App-V 5.0 Package Accelerator for Office Professional Plus 2010 Windows 8](http://go.microsoft.com/fwlink/p/?LinkId=330677)
- [App-V 5.0 Package Accelerator for Office Professional Plus 2010 Windows 7](http://go.microsoft.com/fwlink/p/?LinkId=330678)
For detailed instructions on how to create virtual application packages using App-V package accelerators, see [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md).
## Deploying the Microsoft Office package for App-V
You can deploy Office 2010 packages by using any of the following App-V deployment methods:
- System Center Configuration Manager
- App-V server
- Stand-alone through PowerShell commands
## Office App-V package management and customization
Office 2010 packages can be managed like any other App-V packages through known package management mechanisms. No special instructions are needed, for example, to add, publish, unpublish, or remove Office packages.
## Microsoft Office integration with Windows
The following table provides a full list of supported integration points for Office 2010.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Extension Point</th>
<th align="left">Description</th>
<th align="left">Office 2010</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Lync meeting Join Plug-in for Firefox and Chrome</p></td>
<td align="left"><p>User can join Lync meetings from Firefox and Chrome</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Sent to OneNote Print Driver</p></td>
<td align="left"><p>User can print to OneNote</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="odd">
<td align="left"><p>OneNote Linked Notes</p></td>
<td align="left"><p>OneNote Linked Notes</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Send to OneNote Internet Explorer Add-In</p></td>
<td align="left"><p>User can send to OneNote from IE</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>MAPI Client</p></td>
<td align="left"><p>Native apps and add-ins can interact with virtual Outlook through MAPI</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>SharePoint Plugin for Firefox</p></td>
<td align="left"><p>User can use SharePoint features in Firefox</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Mail Control Panel Applet</p></td>
<td align="left"><p>User gets the mail control panel applet in Outlook</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Primary Interop Assemblies</p></td>
<td align="left"><p>Support managed add-ins</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>Office Document Cache Handler</p></td>
<td align="left"><p>Allows Document Cache for Office applications</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Outlook Protocol Search handler</p></td>
<td align="left"><p>User can search in outlook</p></td>
<td align="left"><p>Yes</p></td>
</tr>
<tr class="even">
<td align="left"><p>Active X Controls:</p></td>
<td align="left"><p>For more information on ActiveX controls, refer to [ActiveX Control API Reference](http://go.microsoft.com/fwlink/p/?LinkId=331361).</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   Groove.SiteClient</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   PortalConnect.PersonalSite</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   SharePoint.openDocuments</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   SharePoint.ExportDatabase</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   SharePoint.SpreadSheetLauncher</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   SharePoint.StssyncHander</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   SharePoint.DragUploadCtl</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   SharePoint.DragDownloadCtl</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   Sharpoint.OpenXMLDocuments</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   Sharepoint.ClipboardCtl</p></td>
<td align="left"><p>Active X control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   WinProj.Activator</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   Name.NameCtrl</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   STSUPld.CopyCtl</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   CommunicatorMeetingJoinAx.JoinManager</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>   LISTNET.Listnet</p></td>
<td align="left"><p>Active X Control</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="even">
<td align="left"><p>   OneDrive Pro Browser Helper</p></td>
<td align="left"><p>Active X Control]</p></td>
<td align="left"><p></p></td>
</tr>
<tr class="odd">
<td align="left"><p>OneDrive Pro Icon Overlays</p></td>
<td align="left"><p>Windows explorer shell icon overlays when users look at folders OneDrive Pro folders</p></td>
<td align="left"><p></p></td>
</tr>
</tbody>
</table>
 
## Additional resources
**Office 2013 App-V Packages Additional Resources**
[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
**Office 2010 App-V Packages**
[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
**Connection Groups**
[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
[Managing Connection Groups](appv-managing-connection-groups.md)
**Dynamic Configuration**
[About App-V Dynamic Configuration](appv-dynamic-configuration.md)
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

895
windows/manage/appv-deploying-microsoft-office-2013-with-appv.md Normal file
View File

@ -0,0 +1,895 @@
---
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
description: Deploying Microsoft Office 2013 by Using App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
---
# Deploying Microsoft Office 2013 by Using App-V
Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V.
This topic contains the following sections:
- [What to know before you start](#bkmk-before-you-start)
- [Creating an Office 2013 package for App-V with the Office Deployment Tool](#bkmk-create-office-pkg)
- [Publishing the Office package for App-V](#bkmk-pub-pkg-office)
- [Customizing and managing Office App-V packages](#bkmk-custmz-manage-office-pkgs)
## <a href="" id="bkmk-before-you-start"></a>What to know before you start
Before you deploy Office 2013 by using App-V, review the following planning information.
### <a href="" id="bkmk-supp-vers-coexist"></a>Supported Office versions and Office coexistence
Use the following table to get information about supported versions of Office and about running coexisting versions of Office.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Information to review</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-office-vers-supp-appv)</p></td>
<td align="left"><ul>
<li><p>Supported versions of Office</p></li>
<li><p>Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)</p></li>
<li><p>Office licensing options</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>[Planning for Using App-V with Office](appv-planning-for-using-appv-with-office.md#bkmk-plan-coexisting)</p></td>
<td align="left"><p>Considerations for installing different versions of Office on the same computer</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="bkmk-pkg-pub-reqs"></a>Packaging, publishing, and deployment requirements
Before you deploy Office by using App-V, review the following requirements.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">Requirement</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Packaging</p></td>
<td align="left"><ul>
<li><p>All of the Office applications that you want to deploy to users must be in a single package.</p></li>
<li><p>In App-V and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.</p></li>
<li><p>If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Publishing</p></td>
<td align="left"><ul>
<li><p>You can publish only one Office package to each client computer.</p></li>
<li><p>You must publish the Office package globally. You cannot publish to the user.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Deploying any of the following products to a shared computer, for example, by using Remote Desktop Services:</p>
<ul>
<li><p>Office 365 ProPlus</p></li>
<li><p>Visio Pro for Office 365</p></li>
<li><p>Project Pro for Office 365</p></li>
</ul></td>
<td align="left"><p>You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).</p>
<p>You dont use shared computer activation if youre deploying a volume licensed product, such as:</p>
<ul>
<li><p>Office Professional Plus 2013</p></li>
<li><p>Visio Professional 2013</p></li>
<li><p>Project Professional 2013</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
### Excluding Office applications from a package
The following table describes the recommended methods for excluding specific Office applications from a package.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Use the <strong>ExcludeApp</strong> setting when you create the package by using the Office Deployment Tool.</p></td>
<td align="left"><ul>
<li><p>Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.</p></li>
<li><p>For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>Modify the DeploymentConfig.xml file</p></td>
<td align="left"><ul>
<li><p>Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.</p></li>
<li><p>For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## <a href="" id="bkmk-create-office-pkg"></a>Creating an Office 2013 package for App-V with the Office Deployment Tool
Complete the following steps to create an Office 2013 package for App-V or later.
**Important**  
In App-V and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 
### Review prerequisites for using the Office Deployment Tool
The computer on which you are installing the Office Deployment Tool must have:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Prerequisite</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Prerequisite software</p></td>
<td align="left"><p>.Net Framework 4</p></td>
</tr>
<tr class="even">
<td align="left"><p>Supported operating systems</p></td>
<td align="left"><ul>
<li><p>64-bit version of Windows 8 or later</p></li>
<li><p>64-bit version of Windows 7</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
**Note**  
In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
 
### Create Office 2013 App-V Packages Using Office Deployment Tool
You create Office 2013 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2013 App-V package with Volume Licensing or Subscription Licensing.
Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers.
### Download the Office Deployment Tool
Office 2013 App-V Packages are created using the Office Deployment Tool, which generates an Office 2013 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation:
1. Download the [Office Deployment Tool for Click-to-Run](http://www.microsoft.com/download/details.aspx?id=36778).
2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
Example: \\\\Server\\Office2013
3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
### Download Office 2013 applications
After you download the Office Deployment Tool, you can use it to get the latest Office 2013 applications. After getting the Office applications, you create the Office 2013 App-V package.
The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
1. Open the sample XML file in Notepad or your favorite text editor.
2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
``` syntax
<Configuration>
<Add SourcePath= \\Server\Office2013” OfficeClientEdition="32" >
<Product ID="O365ProPlusRetail ">
<Language ID="en-us" />
</Product>
<Product ID="VisioProRetail">
<Language ID="en-us" />
</Product>
</Add>
</Configuration>
```
**Note**  
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
 
The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Input</th>
<th align="left">Description</th>
<th align="left">Example</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Add element</p></td>
<td align="left"><p>Specifies the products and languages to include in the package.</p></td>
<td align="left"><p>N/A</p></td>
</tr>
<tr class="even">
<td align="left"><p>OfficeClientEdition (attribute of Add element)</p></td>
<td align="left"><p>Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if <strong>OfficeClientEdition</strong> is not set to a valid value.</p></td>
<td align="left"><p><strong>OfficeClientEdition</strong>=&quot;32&quot;</p>
<p><strong>OfficeClientEdition</strong>=&quot;64&quot;</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Product element</p></td>
<td align="left"><p>Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.</p></td>
<td align="left"><p><code>Product ID =&quot;O365ProPlusRetail &quot;</code></p>
<p><code>Product ID =&quot;VisioProRetail&quot;</code></p>
<p><code>Product ID =&quot;ProjectProRetail&quot;</code></p>
<p><code>Product ID =&quot;ProPlusVolume&quot;</code></p>
<p><code>Product ID =&quot;VisioProVolume&quot;</code></p>
<p><code>Product ID = &quot;ProjectProVolume&quot;</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>Language element</p></td>
<td align="left"><p>Specifies the language supported in the applications</p></td>
<td align="left"><p><code>Language ID=&quot;en-us&quot;</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>Version (attribute of Add element)</p></td>
<td align="left"><p>Optional. Specifies a build to use for the package</p>
<p>Defaults to latest advertised build (as defined in v32.CAB at the Office source).</p></td>
<td align="left"><p><code>15.1.2.3</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>SourcePath (attribute of Add element)</p></td>
<td align="left"><p>Specifies the location in which the applications will be saved to.</p></td>
<td align="left"><p><code>Sourcepath = &quot;\\Server\Office2013”</code></p></td>
</tr>
</tbody>
</table>
 
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
``` syntax
\\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
```
In the example:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>\\server\Office2013</strong></p></td>
<td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Setup.exe</strong></p></td>
<td align="left"><p>is the Office Deployment Tool.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>/download</strong></p></td>
<td align="left"><p>downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>\\server\Office2013\Customconfig.xml</strong></p></td>
<td align="left"><p>passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2013.</p></td>
</tr>
</tbody>
</table>
 
### Convert the Office applications into an App-V package
After you download the Office 2013 applications through the Office Deployment Tool, use the Office Deployment Tool to convert them into an Office 2013 App-V package. Complete the steps that correspond to your licensing model.
**Summary of what youll need to do:**
- Create the Office 2013 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8, and Windows 10 computers.
- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file.
The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model youre using. The steps in the sections that follow the table will specify the exact entries you need to make.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product ID</th>
<th align="left">Volume Licensing</th>
<th align="left">Subscription Licensing</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Office 2013</strong></p></td>
<td align="left"><p>ProPlusVolume</p></td>
<td align="left"><p>O365ProPlusRetail</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Office 2013 with Visio 2013</strong></p></td>
<td align="left"><p>ProPlusVolume</p>
<p>VisioProVolume</p></td>
<td align="left"><p>O365ProPlusRetail</p>
<p>VisioProRetail</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Office 2013 with Visio 2013 and Project 2013</strong></p></td>
<td align="left"><p>ProPlusVolume</p>
<p>VisioProVolume</p>
<p>ProjectProVolume</p></td>
<td align="left"><p>O365ProPlusRetail</p>
<p>VisioProRetail</p>
<p>ProjectProRetail</p></td>
</tr>
</tbody>
</table>
 
**How to convert the Office applications into an App-V package**
1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Parameter</th>
<th align="left">What to change the value to</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>SourcePath</p></td>
<td align="left"><p>Point to the Office applications downloaded earlier.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ProductID</p></td>
<td align="left"><p>Specify the type of licensing, as shown in the following examples:</p>
<ul>
<li><p>Subscription Licensing</p>
<pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
&lt;Add SourcePath= &quot;\\server\Office 2013&quot; OfficeClientEdition=&quot;32&quot; &gt;
&lt;Product ID=&quot;O365ProPlusRetail&quot;&gt;
&lt;Language ID=&quot;en-us&quot; /&gt;
&lt;/Product&gt;
&lt;Product ID=&quot;VisioProRetail&quot;&gt;
&lt;Language ID=&quot;en-us&quot; /&gt;
&lt;/Product&gt;
&lt;/Add&gt;
&lt;/Configuration&gt; </code></pre>
<p>In this example, the following changes were made to create a package with Subscription licensing:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>SourcePath</strong></p></td>
<td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Product ID</strong></p></td>
<td align="left"><p>for Office was changed to <code>O365ProPlusRetail</code>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Product ID</strong></p></td>
<td align="left"><p>for Visio was changed to <code>VisioProRetail</code>.</p></td>
</tr>
</tbody>
</table>
<p> </p>
<p></p></li>
<li><p>Volume Licensing</p>
<pre class="syntax" space="preserve"><code>&lt;Configuration&gt;
&lt;Add SourcePath= &quot;\\Server\Office2013&quot; OfficeClientEdition=&quot;32&quot; &gt;
&lt;Product ID=&quot;ProPlusVolume&quot;&gt;
&lt;Language ID=&quot;en-us&quot; /&gt;
&lt;/Product&gt;
&lt;Product ID=&quot;VisioProVolume&quot;&gt;
&lt;Language ID=&quot;en-us&quot; /&gt;
&lt;/Product&gt;
&lt;/Add&gt;
&lt;/Configuration&gt;</code></pre>
<p>In this example, the following changes were made to create a package with Volume licensing:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>SourcePath</strong></p></td>
<td align="left"><p>is the path, which was changed to point to the Office applications that were downloaded earlier.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Product ID</strong></p></td>
<td align="left"><p>for Office was changed to <code>ProPlusVolume</code>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Product ID</strong></p></td>
<td align="left"><p>for Visio was changed to <code>VisioProVolume</code>.</p></td>
</tr>
</tbody>
</table>
<p> </p>
<p></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>ExcludeApp (optional)</p></td>
<td align="left"><p>Lets you specify Office programs that you dont want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.</p></td>
</tr>
<tr class="even">
<td align="left"><p>PACKAGEGUID (optional)</p></td>
<td align="left"><p>By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.</p>
<p>An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.</p>
<div class="alert">
<strong>Note</strong>  
<p>Even if you use unique package IDs, you can still deploy only one App-V package to a single device.</p>
</div>
<div>
 
</div></td>
</tr>
</tbody>
</table>
 
2. Use the /packager command to convert the Office applications to an Office 2013 App-V package.
For example:
``` syntax
\\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml \\server\share\Office2013AppV
```
In the example:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>\\server\Office2013</strong></p></td>
<td align="left"><p>is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Setup.exe</strong></p></td>
<td align="left"><p>is the Office Deployment Tool.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>/packager</strong></p></td>
<td align="left"><p>creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>\\server\Office2013\Customconfig.xml</strong></p></td>
<td align="left"><p>passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>\\server\share\Office 2013AppV</strong></p></td>
<td align="left"><p>specifies the location of the newly created Office App-V package.</p></td>
</tr>
</tbody>
</table>
 
After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
- **App-V Packages** contains an Office 2013 App-V package and two deployment configuration files.
- **WorkingDir**
**Note**  
To troubleshoot any issues, see the log files in the %temp% directory (default).
 
3. Verify that the Office 2013 App-V package works correctly:
1. Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
2. Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
## <a href="" id="bkmk-pub-pkg-office"></a>Publishing the Office package for App-V
Use the following information to publish an Office package.
### Methods for publishing Office App-V packages
Deploy the App-V package for Office 2013 by using the same methods you use for any other package:
- System Center Configuration Manager
- App-V Server
- Stand-alone through PowerShell commands
### Publishing prerequisites and requirements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Prerequisite or requirement</th>
<th align="left">Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enable PowerShell scripting on the App-V clients</p></td>
<td align="left"><p>To publish Office 2013 packages, you must run a script.</p>
<p>Package scripts are disabled by default on App-V clients. To enable scripting, run the following PowerShell command:</p>
<pre class="syntax" space="preserve"><code>Set-AppvClientConfiguration EnablePackageScripts 1</code></pre></td>
</tr>
<tr class="even">
<td align="left"><p>Publish the Office 2013 package globally</p></td>
<td align="left"><p>Extension points in the Office App-V package require installation at the computer level.</p>
<p>When you publish at the computer level, no prerequisite actions or redistributables are needed, and the Office 2013 package globally enables its applications to work like natively installed Office, eliminating the need for administrators to customize packages.</p></td>
</tr>
</tbody>
</table>
 
### How to publish an Office package
Run the following command to publish an Office package globally:
- `Add-AppvClientPackage <Path_to_AppV_Package> | Publish-AppvClientPackage global`
- From the Web Management Console on the App-V Server, you can add permissions to a group of computers instead of to a user group to enable packages to be published globally to the computers in the corresponding group.
## <a href="" id="bkmk-custmz-manage-office-pkgs"></a>Customizing and managing Office App-V packages
To manage your Office App-V packages, use the same operations as you would for any other package, but there are a few exceptions, as outlined in the following sections.
- [Enabling Office plug-ins by using connection groups](#bkmk-enable-office-plugins)
- [Disabling Office 2013 applications](#bkmk-disable-office-apps)
- [Disabling Office 2013 shortcuts](#bkmk-disable-shortcuts)
- [Managing Office 2013 package upgrades](#bkmk-manage-office-pkg-upgrd)
- [Managing Office 2013 licensing upgrades](#bkmk-manage-office-lic-upgrd)
- [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project)
### <a href="" id="bkmk-enable-office-plugins"></a>Enabling Office plug-ins by using connection groups
Use the steps in this section to enable Office plug-ins with your Office package. To use Office plug-ins, you must use the App-V Sequencer to create a separate package that contains just the plug-ins. You cannot use the Office Deployment Tool to create the plug-ins package. You then create a connection group that contains the Office package and the plug-ins package, as described in the following steps.
**To enable plug-ins for Office App-V packages**
1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet.
2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
3. Create an App-V package that includes the desired plug-ins.
4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet.
5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
**Important**  
The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2013 App-V package first, and then add the plug-in App-V package.
 
6. Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2013 App-V package.
7. Verify that the Deployment Configuration File of the plug-in package has the same settings that the Office 2013 App-V package has.
Since the Office 2013 App-V package is integrated with the operating system, the plug-in package settings should match. You can search the Deployment Configuration File for “COM Mode” and ensure that your plug-ins package has that value set as “Integrated” and that both "InProcessEnabled" and "OutOfProcessEnabled" match the settings of the Office 2013 App-V package you published.
8. Open the Deployment Configuration File and set the value for **Objects Enabled** to **false**.
9. If you made any changes to the Deployment Configuration file after sequencing, ensure that the plug-in package is published with the file.
10. Ensure that the Connection Group you created is enabled onto your desired computer. The Connection Group created will likely “pend” if the Office 2013 App-V package is in use when the Connection Group is enabled. If that happens, you have to reboot to successfully enable the Connection Group.
11. After you successfully publish both packages and enable the Connection Group, start the target Office 2013 application and verify that the plug-in you published and added to the connection group works as expected.
### <a href="" id="bkmk-disable-office-apps"></a>Disabling Office 2013 applications
You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
**Note**  
To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](http://technet.microsoft.com/library/jj219426.aspx).
 
**To disable an Office 2013 application**
1. Open a Deployment Configuration File with a text editor such as **Notepad** and search for “Applications."
2. Search for the Office application you want to disable, for example, Access 2013.
3. Change the value of "Enabled" from "true" to "false."
4. Save the Deployment Configuration File.
5. Add the Office 2013 App-V Package with the new Deployment Configuration File.
``` syntax
<Application Id="[{AppVPackageRoot)]\officefl5\INFOPATH.EXE" Enabled="true">
<VisualElements>
<Name>InfoPath Filler 2013</Name>
<Icon />
<Description />
</VisualElements>
</Application>
<Application Id="[{AppVPackageRoot}]\officel5\lync.exe" Enabled="true">
<VisualElements>
<Name>Lync 2013</Name>
<Icon />
<Description />
</VisualElements>
</Application>
<Application Id="[(AppVPackageRoot}]\office15\MSACCESS.EXE" Enabled="true">
<VisualElements>
<Name>Access 2013</Name>
<Icon />
<Description />
</VisualElements>
</Application>
```
6. Re-add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
### <a href="" id="bkmk-disable-shortcuts"></a>Disabling Office 2013 shortcuts
You may want to disable shortcuts for certain Office applications instead of unpublishing or removing the package. The following example shows how to disable shortcuts for Microsoft Access.
**To disable shortcuts for Office 2013 applications**
1. Open a Deployment Configuration File in Notepad and search for “Shortcuts”.
2. To disable certain shortcuts, delete or comment out the specific shortcuts you dont want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems &lt;shortcut&gt; &lt;/shortcut&gt; intact to disable the Microsoft Access shortcut.
``` syntax
Shortcuts
-->
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Programs}]\Microsoft Office 2013\Access 2013.lnk</File>
<Target>[{AppvPackageRoot}])office15\MSACCESS.EXE</Target>
<Icon>[{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico</Icon>
<Arguments />
<WorkingDirectory />
<AppuserModelId>Microsoft.Office.MSACCESS.EXE.15</AppUserModelId>
<AppUsermodelExcludeFroeShowInNewInstall>true</AppUsermodelExcludeFroeShowInNewInstall>
<Description>Build a professional app quickly to manage data.</Description>
<ShowCommand>l</ShowCommand>
<ApplicationId>[{AppVPackageRoot}]\officel5\MSACCESS.EXE</ApplicationId>
</Shortcut>
```
3. Save the Deployment Configuration File.
4. Republish Office 2013 App-V Package with new Deployment Configuration File.
Many additional settings can be changed through modifying the Deployment Configuration for App-V packages, for example, file type associations, Virtual File System, and more. For additional information on how to use Deployment Configuration Files to change App-V package settings, refer to the additional resources section at the end of this document.
### <a href="" id="bkmk-manage-office-pkg-upgrd"></a>Managing Office 2013 package upgrades
To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a previously deployed Office 2013 package, perform the following steps.
**How to upgrade a previously deployed Office 2013 package**
1. Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
**Note**  
Office App-V packages have two Version IDs:
- An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
- A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
 
2. Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
### <a href="" id="bkmk-manage-office-lic-upgrd"></a>Managing Office 2013 licensing upgrades
If a new Office 2013 App-V Package has a different license than the Office 2013 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2013 and the new Office 2013 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade:
**How to upgrade an Office 2013 License**
1. Unpublish the already deployed Office 2013 Subscription Licensing App-V package.
2. Remove the unpublished Office 2013 Subscription Licensing App-V package.
3. Restart the computer.
4. Add the new Office 2013 App-V Package Volume Licensing.
5. Publish the added Office 2013 App-V Package with Volume Licensing.
An Office 2013 App-V Package with your chosen licensing will be successfully deployed.
### <a href="" id="bkmk-deploy-visio-project"></a>Deploying Visio 2013 and Project 2013 with Office
The following table describes the requirements and options for deploying Visio 2013 and Project 2013 with Office.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>How do I package and publish Visio 2013 and Project 2013 with Office?</p></td>
<td align="left"><p>You must include Visio 2013 and Project 2013 in the same package with Office.</p>
<p>If you arent deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](https://technet.microsoft.com/en-us/itpro/mdop/solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions#bkmk-pkg-pub-reqs).</p></td>
</tr>
<tr class="even">
<td align="left"><p>How can I deploy Visio 2013 and Project 2013 to specific users?</p></td>
<td align="left"><p>Use one of the following methods:</p>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">If you want to...</th>
<th align="left">...then use this method</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Create two different packages and deploy each one to a different group of users</p></td>
<td align="left"><p>Create and deploy the following packages:</p>
<ul>
<li><p>A package that contains only Office - deploy to computers whose users need only Office.</p></li>
<li><p>A package that contains Office, Visio, and Project - deploy to computers whose users need all three applications.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>If you want only one package for the whole organization, or if you have users who share computers:</p></td>
<td align="left"><p>Follows these steps:</p>
<ol>
<li><p>Create a package that contains Office, Visio, and Project.</p></li>
<li><p>Deploy the package to all users.</p></li>
<li><p>Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.</p></li>
</ol></td>
</tr>
</tbody>
</table>
<p> </p></td>
</tr>
</tbody>
</table>
 
## Additional resources
**Office 2013 App-V Packages Additional Resources**
[Office Deployment Tool for Click-to-Run](http://go.microsoft.com/fwlink/p/?LinkID=330672)
[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](http://go.microsoft.com/fwlink/p/?LinkId=330680)
**Office 2010 App-V Packages**
[Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330681)
[Known issues when you create or use an App-V 5.0 Office 2010 package](http://go.microsoft.com/fwlink/p/?LinkId=330682)
[How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://go.microsoft.com/fwlink/p/?LinkId=330676)
**Connection Groups**
[Deploying Connection Groups in Microsoft App-V v5](http://go.microsoft.com/fwlink/p/?LinkId=330683)
[Managing Connection Groups](appv-managing-connection-groups.md)
**Dynamic Configuration**
[About App-V Dynamic Configuration](appv-dynamic-configuration.md)
## Have a suggestion for App-V?
Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
 
 

Some files were not shown because too many files have changed in this diff Show More