deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-27 16:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-9502045

Browse Source
This commit is contained in:
Trudy Hakala
2016-11-01 13:10:46 -07:00
parent 8d9d35d95f 2b38bc34a1
commit f4916eafbc
39 changed files with 121 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md
View File

@ -20,8 +20,8 @@ Included examples:
- [Example 4: Connect directly if the host is in specified subnet](#example-4-connect-directly-if-the-host-is-in-specified-subnet)
- [Example 5: Determine the connection type based on the host domain](#example-5-determine-the-connection-type-based-on-the-host-domain)
- [Example 6: Determine the connection type based on the protocol](#example-6-determine-the-connection-type-based-on-the-protocol)
- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-IP-address)
- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-IP-address-matches-the-specified-IP-address)
- [Example 7: Determine the proxy server based on the host name matching the IP address](#example-7-determine-the-proxy-server-based-on-the-host-name-matching-the-ip-address)
- [Example 8: Connect using a proxy server if the host IP address matches the specified IP address](#example-8-connect-using-a-proxy-server-if-the-host-ip-address-matches-the-specified-ip-address)
- [Example 9: Connect using a proxy server if there are periods in the host name](#example-9-connect-using-a-proxy-server-if-there-are-periods-in-the-host-name)
- [Example 10: Connect using a proxy server based on specific days of the week](#example-10-connect-using-a-proxy-server-based-on-specific-days-of-the-week)

1
browsers/internet-explorer/index.md
View File

@ -6,6 +6,7 @@ ms.prod: IE11
title: Internet Explorer 11 (IE11) (Internet Explorer 11 for IT Pros)
assetid: be3dc32e-80d9-4d9f-a802-c7db6c50dbe0
ms.sitesec: library
localizationpriority: low
---

2
devices/surface-hub/first-run-program-surface-hub.md
View File

@ -425,7 +425,7 @@ This page will attempt to create a new admin account using the credentials that
In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#using-wsus).
1. Make sure the device has access to the Windows Update servers or to Windows Server Update Services (WSUS). To configure WSUS, see [Using WSUS](manage-windows-updates-for-surface-hub.md#use-windows-server-update-services).
2. Open Settings, click **Update & security**, then **Windows Update**, and then click **Check for updates**.
3. If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
4. Follow the onscreen prompts after the updates are installed. You may need to restart the device.

2
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -12,7 +12,7 @@ localizationpriority: medium
---
# Hybrid deployment (Surface Hub)
A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If youre using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#hybrid-exchange-on-prem), and [Exchange hosted online](#hybrid-exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
A hybrid deployment requires special processing in order to set up a device account for your Microsoft Surface Hub. If youre using a hybrid deployment, in which your organization has a mix of services, with some hosted on-premises and some hosted online, then your configuration will depend on where each service is hosted. This topic covers hybrid deployments for [Exchange hosted on-prem](#exchange-on-prem), and [Exchange hosted online](#exchange-online). Because there are so many different variations in this type of deployment, it's not possible to provide detailed instructions for all of them. The following process will work for many configurations. If the process isn't right for your setup, we recommend that you use PowerShell (see [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)) to achieve the same end result as documented here, and for other deployment options. You should then use the provided Powershell script to verify your Surface Hub setup. (See [Account Verification Script](appendix-a-powershell-scripts-for-surface-hub.md#acct-verification-ps-scripts).)
## Exchange on-prem
Use this procedure if you use Exchange on-prem.

4
devices/surface-hub/manage-windows-updates-for-surface-hub.md
View File

@ -92,9 +92,9 @@ Once you've determined deployment rings for your Surface Hubs, configure update
> If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates).
## Use Windows Server Update Services (WSUS)
## Use Windows Server Update Services
You can connect Surface Hub to your WSUS server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
You can connect Surface Hub to your indows Server Update Services (WSUS) server to manage updates. Updates will be controlled through approvals or automatic deployment rules configured in your WSUS server, so new upgrades will not be deployed until you choose to deploy them.
**To manually connect a Surface Hub to a WSUS server:**
1. Open **Settings** on your Surface Hub.

2
devices/surface-hub/surface-hub-administrators-guide.md
View File

@ -16,7 +16,7 @@ localizationpriority: medium
This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.
Before you power on Microsoft Surface Hub for the first time, make sure you've [completed the checklist](prepare-your-environment-for-surface-hub.md#prepare-checklist) at the end of the [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) section, and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct.
## In this section

4
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -728,7 +728,7 @@ To implement this method, perform the following steps:
Put the student information in the format the bulk-import feature requires.
2. Bulk-import the student information into Azure AD.
For more information about how to perform this step, see the [Bulk-import user and group accounts in Office 365](#bulk-import-user-and-group-accounts-in-office-365) section.
For more information about how to perform this step, see the [Bulk-import user and group accounts into Office 365](#bulk-import-user-and-group-accounts-into-office-365) section.
#### Summary
@ -1851,4 +1851,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347)
* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344)
* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343)
* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)
* [Use Windows Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348)

8
education/windows/education-scenarios-store-for-business.md
View File

@ -105,7 +105,7 @@ Teachers and IT administrators can now get trials or subscriptions to Minecraft:
- [For teachers Minecraft: Education Edition](https://technet.microsoft.com/edu/windows/teacher-get-minecraft)
## Manage WSfB inventory education
## Manage WSfB inventory
Applies to: IT admins and teachers
### Manage purchases
@ -126,7 +126,7 @@ Teachers can:
> Teachers can't manage or view apps purchased by other teachers, or purchased by admins. Teachers can only work with the apps they purchased.
### Distribute apps - education
### Distribute apps
Manage and distribute apps to students and others in your organization. Different options are avaialble for admins and teachers.
@ -149,7 +149,7 @@ For info on how to distribute **Minecraft: Education Edition**, see [For teacher
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
### Purchase additional licenses - education
### Purchase additional licenses
Applies to: IT admins and teachers
You can manage current app licenses, or purchase more licenses for apps in your inventory.
@ -167,7 +167,7 @@ You'll have a summary of current license availability.
Similarly, you can purchase additional subscriptions of **Minecraft: Education Edition** through Windows Store for Business. Find **Minecraft: Education Edition** in your inventory and use the previous steps for purchasing additional app licenses.
## Manage WSfB order history education
## Manage WSfB order history
Applies to: IT admins and teachers
You can manage your orders through Windows Store for Business. For info on order history and how to refund an order, see [Manage app orders in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business).

2
education/windows/get-minecraft-for-education.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerMS
---
# Get Minecraft Education Edition
# Get Minecraft: Education Edition
**Applies to:**

9
education/windows/take-a-test-single-pc.md
View File

@ -25,11 +25,9 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
- Students cant change settings, extend their display, see notifications, get updates, or use autofill features.
- Cortana is turned off.
> **Tip!**
> [!TIP]
> To exit **Take a Test**, press Ctrl+Alt+Delete.
## How you use Take a Test
![Use test account or test url in Take a Test](images/take-a-test-flow.png)
@ -47,7 +45,10 @@ The **Take a Test** app in Windows 10, Version 1607, creates the right environme
1. Sign into the device with an administrator account.
2. Go to **Settings** > **Accounts** > **Work or school access** > **Set up an account for taking tests**.
3. Select an existing account to use as the dedicated testing account.
>**Note**: If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I dont have this persons sign-in information** > **Add a user without a Microsoft account**.
> [!NOTE]
> If you don't have an account on the device, you can create a new account. To do this, go to **Settings** > **Accounts** > **Other Users** > **Add someone else to this PC** > **I dont have this persons sign-in information** > **Add a user without a Microsoft account**.
4. Specify an assessment URL.
5. Click **Save**.

10
mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
View File

@ -30,7 +30,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
 
**To open the Administration and Monitoring Website**
<a href="" id="bkmk-openadmin"></a>**To open the Administration and Monitoring Website**
1. Open a web browser and navigate to the Administration and Monitoring Website. The default URL for the Administration and Monitoring Website is:
@ -47,7 +47,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
 
**To generate an Enterprise Compliance Report**
<a href="" id="bkmk-enterprise"></a>**To generate an Enterprise Compliance Report**
1. From the Administration and Monitoring Website, select the **Reports** node from the left navigation pane, select **Enterprise Compliance Report**, and select the filters that you want to use. The available filters for the Enterprise Compliance Report are:
@ -61,7 +61,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
4. Select the plus sign (+) next to the computer name to view information about the volumes on the computer.
**To generate a Computer Compliance Report**
<a href="" id="bkmk-computercomp"></a>**To generate a Computer Compliance Report**
1. From the Administration and Monitoring Website, select the **Report** node from the left navigation pane, and then select **Computer Compliance Report**. Use the Computer Compliance Report to search for **User name** or **Computer name**.
@ -74,9 +74,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
**Note**  
An MBAM client computer is considered compliant if the computer matches or exceeds the requirements of the MBAM Group Policy settings.
 
**To generate a Recovery Key Audit Report**
<a href="" id="bkmk-recoverykey"></a>**To generate a Recovery Key Audit Report**
1. From the Administration and Monitoring Website, select the **Report** node in the left navigation pane, and then select **Recovery Audit Report**. Select the filters for your Recovery Key Audit Report. The available filters for recovery key audits are as follows:

5
mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
View File

@ -11,8 +11,6 @@ ms.prod: w10
# How to Recover a Moved Drive
This topic explains how to use the Administration and Monitoring Website (also referred to as the Help Desk) to recover an operating system drive that was moved after being encrypted by Microsoft BitLocker Administration and Monitoring (MBAM). When a drive is moved, it no longer accepts the PIN that was used in the previous computer because the Trusted Platform Module (TPM) chip has changed. To recover the moved drive, you must obtain the recovery key ID to retrieve the recovery password.
To recover a moved drive, you must use the **Drive Recovery** area of the Administration and Monitoring Website. To access the **Drive Recovery** area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. For more information about these roles, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).
@ -20,10 +18,7 @@ To recover a moved drive, you must use the **Drive Recovery** area of the Admini
**Note**  
You may have given these roles different names when you created them. For more information, see [Access accounts for the Administration and Monitoring Website (Help Desk)](#bkmk-helpdesk-roles).
 
**To recover a moved drive**
1. On the computer that contains the moved drive, start the computer in Windows Recovery Environment (WinRE) mode, or start the computer by using the Microsoft Diagnostic and Recovery Toolset (DaRT).
2. After the computer has been started with WinRE or DaRT, MBAM will treat the moved operating system drive as a fixed data drive. MBAM will then display the drives recovery password ID and ask for the recovery password.

2
mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
View File

@ -103,7 +103,7 @@ Create the following accounts for the Reports feature.
 
## <a href="" id="bkmk-helpdesk-roles"></a>Administration and Monitoring Website (Help Desk) accounts
<a href="" id="bkmk-helpdesk-roles"></a>## Administration and Monitoring Website (Help Desk) accounts
Create the following accounts for the Administration and Monitoring Website.

3
mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
View File

@ -72,8 +72,7 @@ Before you install the MBAM Client software on end users' computers, ensure that
 
**Important**  
If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
 
## Got a suggestion for MBAM?

4
mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
View File

@ -29,7 +29,7 @@ You can add and remove URL redirection information by performing one of the foll
- [Edit the URL Redirection Text File and Rebuild the MED-V Workspace](#bkmk-edittext)
**To update URL Redirection information by using Group Policy**
<a href="" id="bkmk-editreg"></a>**To update URL Redirection information by using Group Policy**
1. Edit the registry key multi-string value that is named `RedirectUrls`. This value is typically located at:
@ -44,7 +44,7 @@ This method of editing URL redirection information is a MED-V best practice.
 
**To rebuild the MED-V workspace by using an updated URL text file**
<a href="" id="bkmk-edittext"></a>**To rebuild the MED-V workspace by using an updated URL text file**
- Another method of adding and removing URLs from the redirection list is to update the URL redirection text file and then use it to build a new MED-V workspace. You can then redeploy the MED-V workspace as before, by using your standard process of deployment, such as an ESD system.

16
mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
View File

@ -47,21 +47,15 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
3. **MED-V Host Agent Installation File** installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
**Warning**  
Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
 
Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.  
4. **MED-V Workspace Installer, VHD, and Setup Executable** created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
**Important**  
The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
 
**Tip**  
Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
 
Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.  
3. Configure the packages to run in silent mode (no user interaction is required).
@ -70,15 +64,11 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
**Note**  
Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.
 
4. Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
**Important**  
Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
 
5. Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
6. Assign the packages to the target set of computers/users.
@ -91,7 +81,7 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).
**To install the MED-V components by using a batch file**
<a href="" id="bkmk-batch"></a>**To install the MED-V components by using a batch file**
1. Run the installation at a command prompt with administrative credentials.

2
mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
View File

@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a
![deploymentworkflow](images/deploymentworkflow.png)
**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components youll be deploying. Planning a UE-V deployment involves these things:
<a href="" id="planning"></a>**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components youll be deploying. Planning a UE-V deployment involves these things:
- [Decide whether to synchronize settings for custom applications](#deciding)

2
windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -37,7 +37,7 @@ In this topic:
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group

4
windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -25,11 +25,11 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
- [Add the test devices to the GPO membership groups](#to-add-test-devices-to-the-gpo-membership-group)
- [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add test devices to the GPO membership groups

2
windows/keep-secure/advanced-security-audit-policy-settings.md
View File

@ -86,7 +86,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#bkmk-globalobjectaccess).
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access).
This category includes the following subcategories:

2
windows/keep-secure/backup-tpm-recovery-information-to-ad-ds.md
View File

@ -117,7 +117,7 @@ When you need to recover the TPM owner information from AD DS and use it to man
**To obtain TPM owner backup information from AD DS and create a password file**
1. Sign in to a domain controller by using domain administrator credentials.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#ms-tpm-ownerinformation), to a location on your computer.
2. Copy the sample script file, [Get-TPMOwnerInfo.vbs](#bkmk-get-tpmownerinfo), to a location on your computer.
3. Open a Command Prompt window, and change the default location to the location of the sample script files you saved in the previous step.
4. At the command prompt, type **cscript Get-TPMOwnerInfo.vbs**.

2
windows/keep-secure/bitlocker-frequently-asked-questions.md
View File

@ -319,7 +319,7 @@ When an administrator selects the **Require BitLocker backup to AD DS** check b
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#bkmk-adretro) to capture the information after connectivity is restored.
When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
## <a href="" id="bkmk-security"></a>Security

4
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -17,11 +17,11 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
| New or changed topic | Description |
| --- | --- |
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Added Microsoft Remote Desktop information. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about the icon overlay option. This icon now only appears on corporate files in the Save As and File Explore views |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) and [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the text about where the optioanl icon overlay appears.|
|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added content about using ActiveX controls.|
|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |New |
|[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic |
| [Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
|[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline |
## September 2016

2
windows/keep-secure/create-wip-policy-using-intune.md
View File

@ -160,7 +160,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All files signed by any publisher. (Not recommended.)</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>

6
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -80,7 +80,7 @@ For this example, were going to add Microsoft OneNote, a store app, to the **
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Store App** from the **Rule template** drop-down list.
@ -164,7 +164,7 @@ For this example, were going to add Internet Explorer, a desktop app, to the
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
@ -304,7 +304,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.

2
windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md
View File

@ -74,7 +74,7 @@ When finished, the files will be saved to your desktop. You can double-click the
To trust this catalog file within a code integrity policy, the catalog must first be signed. Then, the signing certificate can be added to the code integrity policy, and the catalog file can be distributed to the individual client computers.
For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtool.exe).
For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe.
For information about adding the signing certificate to a code integrity policy, see [Add a catalog signing certificate to a code integrity policy](deploy-code-integrity-policies-steps.md#add-a-catalog-signing-certificate-to-a-code-integrity-policy).

4
windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
View File

@ -20,7 +20,7 @@ Hardware-based security features, also called virtualization-based security or V
2. **Verify that hardware and firmware requirements are met**. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard).
3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
3. **Enable the necessary Windows features**. There are several ways to enable the Windows features required for hardware-based security. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see the following section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
4. **Enable additional features as desired**. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), or see [Enable virtualization-based security (VBS)](#enable-virtualization-based-security-vbs-and-device-guard), later in this topic.
@ -46,7 +46,7 @@ After you enable the feature or features, you can enable VBS for Device Guard, a
## Enable Virtualization Based Security (VBS) and Device Guard
Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security).
Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard).
There are multiple ways to configure VBS features for Device Guard:

4
windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -40,7 +40,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
2. On the **Action** menu, click **Initialize TPM** to start the TPM Initialization Wizard.
3. If the TPM has never been initialized or is turned off, the TPM Initialization Wizard displays the **Turn on the TPM security hardware** dialog box. This dialog box provides guidance for initializing or turning on the TPM. Follow the instructions in the wizard.
>**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the [To set ownership of the TPM](#bkmk-setownership) procedure.
>**Note:** If the TPM is already turned on, the TPM Initialization Wizard displays the **Create the TPM owner password** dialog box. Skip the remainder of this procedure and continue with the **To set ownership of the TPM** procedure.
 
>**Note:**  If the TPM Initialization Wizard detects that you do not have a compatible BIOS, you cannot continue with the TPM Initialization Wizard, and you are alerted to consult the computer manufacturer's documentation for instructions to initialize the TPM.
 
@ -57,7 +57,7 @@ To finish initializing the TPM for use, you must set an owner for the TPM. The p
**To set ownership of the TPM**
1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure [To start the TPM Initialization Wizard](#bkmk-starttpminitwizard).
1. If you are not continuing immediately from the last procedure, start the TPM Initialization Wizard. If you need to review the steps to do so, see the previous procedure **To start the TPM Initialization Wizard**.
2. In the **Create the TPM owner password** dialog box, click **Automatically create the password (recommended)**.
3. In the **Save your TPM owner password** dialog box, click **Save the password**.
4. In the **Save As** dialog box, select a location to save the password, and then click **Save**. The password file is saved as *computer\_name.tpm*.

2
windows/keep-secure/isolating-apps-on-your-network.md
View File

@ -44,7 +44,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- [Prerequisites](#prerequisites)
- [Step 1: Define your network](#step-1-Define-your-network)
- [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)

2
windows/keep-secure/local-accounts.md
View File

@ -81,7 +81,7 @@ The default Administrator account is initially installed differently for Windows
In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#sec-administrator-security).
In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. For more information, see [Security considerations](#security-considerations).
**Account group membership**

2
windows/keep-secure/trusted-platform-module-services-group-policy-settings.md
View File

@ -30,7 +30,7 @@ The TPM Services Group Policy settings are located at:
| [Ignore the local list of blocked TPM commands](#bkmk-tpmgp-illb) | X| X| X| X| X| X|
| [Configure the level of TPM owner authorization information available to the operating system](#bkmk-tpmgp-oauthos)| | X| X| X|||
| [Standard User Lockout Duration](#bkmk-tpmgp-suld)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#bkmk-tpmgp-suilt)| X| X| X| X|||
| [Standard User Individual Lockout Threshold](#individual)| X| X| X| X|||
| [Standard User Total Lockout Threshold](#bkmk-tpmgpsutlt)| X| X| X| X||||
### <a href="" id="bkmk-tpmgp-addsbu"></a>Turn on TPM backup to Active Directory Domain Services

2
windows/keep-secure/user-account-control-group-policy-and-registry-key-settings.md
View File

@ -193,5 +193,5 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| ValidateAdminCodeSignatures | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | 0 (Default) = Disabled<br/>1 = Enabled |
| EnableSecureUIAPaths | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | 0 = Disabled<br />1 (Default) = Enabled |
| EnableLUA | [User Account Control: Run all administrators in Admin Approval Mode](#user-account-control-run-all-administrators-in-admin-approval-mode) | 0 = Disabled<br />1 (Default) = Enabled |
| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control:-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
| PromptOnSecureDesktop | [User Account Control: Switch to the secure desktop when prompting for elevation](#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation) | 0 = Disabled<br />1 (Default) = Enabled |
| EnableVirtualization | [User Account Control: Virtualize file and registry write failures to per-user locations](#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations) | 0 = Disabled<br />1 (Default) = Enabled |

6
windows/keep-secure/windows-10-security-guide.md
View File

@ -21,7 +21,7 @@ This guide provides a detailed description of the most important security improv
#### Introduction
Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10:
- [**Identity and access control**](#identity) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users credentials.
- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello and Microsoft Passport, which better protect user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users credentials.
- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security.
- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10.
@ -436,7 +436,7 @@ The functionality a TPM provides includes:
Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits.
Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measure-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PCs TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PCs TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC.
Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself.
@ -576,7 +576,7 @@ The core functionality and protection of Device Guard starts at the hardware lev
Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processors IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating systems kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place.
Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the users derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the users derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach youve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#dgwithcg) section.
Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the users derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the users derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach youve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section.
#### Device Guard with AppLocker

2
windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -36,7 +36,7 @@ This guide is intended for IT pros, system administrators, and IT managers, and
| Section | Description |
| - | - |
| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|

2
windows/manage/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
View File

@ -16,7 +16,7 @@ ms.prod: w10
You can create user-entitled connection groups that contain both user-published and globally published packages, using either of the following methods:
- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-powershell-cmdlets-to-create-user-entitled-connection-groups)
- [How to use Windows PowerShell cmdlets to create user-entitled connection groups](#how-to-use-windows-powershell-cmdlets-to-create-user-entitled-connection-groups)
- [How to use the App-V Server to create user-entitled connection groups](#how-to-use-the-app-v-server-to-create-user-entitled-connection-groups)

2
windows/manage/appv-deploying-microsoft-office-2013-with-appv.md
View File

@ -243,7 +243,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc
**Note**<br>
The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-XML-file), later in this topic.
The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. For more information, see [Customizable attributes and elements of the XML file](#customizable-attributes-and-elements-of-the-xml-file), later in this topic.
After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.

18
windows/manage/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
View File

@ -20,15 +20,15 @@ A connection group XML file defines the connection group for the App-V client. F
This topic explains the following procedures:
- [To add and publish the App-V packages in the connection group](#bkmk-add-pub-pkgs-in-cg)
- [To add and publish the App-V packages in the connection group](#to-add-and-publish-the-app-v-packages-in-the-connection-group)
- [To add and enable the connection group on the App-V client](#bkmk-add-enable-cg-on-clt)
- [To add and enable the connection group on the App-V client](#to-add-and-enable-the-connection-group-on-the-app-v-client)
- [To enable or disable a connection group for a specific user](#bkmk-enable-cg-for-user-poshtopic)
- [To enable or disable a connection group for a specific user](#to-enable-or-disable-a-connection-group-for-a-specific-user)
- [To allow only administrators to enable connection groups](#bkmk-admin-only-posh-topic-cg)
- [To allow only administrators to enable connection groups](#to-allow-only-administrators-to-enable-connection-groups)
**To add and publish the App-V packages in the connection group**
## To add and publish the App-V packages in the connection group
1. To add and publish the App-V packages to the computer running the App-V client, type the following command:
@ -36,7 +36,7 @@ This topic explains the following procedures:
2. Repeat **step 1** of this procedure for each package in the connection group.
**To add and enable the connection group on the App-V client**
## To add and enable the connection group on the App-V client
1. Add the connection group by typing the following command:
@ -48,7 +48,7 @@ This topic explains the following procedures:
When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection groups virtual environment and will be available to all the virtual applications in the other packages in the connection group.
**To enable or disable a connection group for a specific user**
## To enable or disable a connection group for a specific user
1. Review the parameter description and requirements:
@ -89,9 +89,7 @@ This topic explains the following procedures:
</tbody>
</table>
 
**To allow only administrators to enable connection groups**
## To allow only administrators to enable connection groups
1. Review the description and requirement for using this cmdlet:

45
windows/manage/appv-modify-an-existing-virtual-application-package.md
View File

@ -16,11 +16,11 @@ ms.prod: w10
This topic explains how to:
- [Update an application in an existing virtual application package](#bkmk-update-app-in-pkg)
- [Update an application in an existing virtual application package](#update-an-application-in-an-existing-virtual-application-package)
- [Modify the properties associated with an existing virtual application package](#bkmk-chg-props-in-pkg)
- [Modify the properties associated with an existing virtual application package](#modify-the-properties-associated-with-an-existing-virtual-application-package)
- [Add a new application to an existing virtual application package](#bkmk-add-app-to-pkg)
- [Add a new application to an existing virtual application package](#add-a-new-application-to-an-existing-virtual-application-package)
**Before you update a package:**
@ -32,7 +32,7 @@ This topic explains how to:
- If you click **Modify an Existing Virtual Application Package** in the Sequencer in order to edit a package, but then make no changes and close the package, the streaming behavior of the package is changed. The primary feature block is removed from the StreamMap.xml file, and any files that were listed in the publishing feature block are removed. Users who receive the edited package experience that package as if it were stream-faulted, regardless of how the original package was configured.
**Update an application in an existing virtual application package**
## Update an application in an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@ -47,25 +47,17 @@ This topic explains how to:
**Important**  
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files are added to the package.
 
6. On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file, and if you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application update so the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and then locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
**Note**  
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
 
>**Note**&nbsp;&nbsp;The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Installation Report** page, you can review information about the updated virtual application. In **Additional Information**, double-click the event to obtain more detailed information. To proceed, click **Next**.
9. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all of the applications to run. After all applications have run, close each of the applications, and then click **Next**.
**Note**  
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
 
>**Note**&nbsp;&nbsp;You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop**, and then select either **Stop all applications** or **Stop this application only**.
10. On the **Create Package** page, to modify the package without saving it, select the check box for **Continue to modify package without saving using the package editor**. When you select this option, the package opens in the App-V Sequencer console, where you can modify the package before it is saved. Click **Next**.
@ -73,7 +65,8 @@ This topic explains how to:
11. On the **Completion** page, click **Close** to close the wizard. The package is now available in the sequencer.
**Modify the properties associated with an existing virtual application package**
## Modify the properties associated with an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@ -109,14 +102,11 @@ This topic explains how to:
- Add or edit shortcuts and file type associations.
**Note**  
To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
 
>**Note**&nbsp;&nbsp;To edit shortcuts or file type associations, you must first open the package for upgrade to add a new application, and then proceed to the final editing page.
6. When you finish changing the package properties, click **File** &gt; **Save** to save the package.
**Add a new application to an existing virtual application package**
## Add a new application to an existing virtual application package
1. On the computer that runs the sequencer, click **All Programs**, point to **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
@ -128,19 +118,13 @@ This topic explains how to:
5. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or cause the revised package to contain unnecessary data. Resolve all potential issues before you continue. After making any corrections and resolving all potential issues, click **Refresh** &gt; **Next**.
**Important**  
If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
 
>**Important**&nbsp;&nbsp;If you are required to disable virus scanning software, first scan the computer that runs the sequencer to ensure that no unwanted or malicious files can be added to the package.
6. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
7. On the **Installation** page, when the sequencer and application installer are ready, install the application so that the sequencer can monitor the installation process. If additional installation files must be run as part of the installation, click **Run**, and locate and run the additional installation files. When you finish the installation, select **I am finished installing** &gt; **Next**. In the **Browse for Folder** dialog box, specify the primary directory where the application will be installed. Ensure that this is a new location so that you dont overwrite the existing version of the virtual application package.
**Note**  
The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
 
>**Note**&nbsp;&nbsp;The sequencer monitors all changes and installations that occur on the computer that runs the sequencer. This includes any changes and installations that are performed outside of the sequencing wizard.
8. On the **Configure Software** page, optionally run the programs contained in the package. This step completes any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
@ -152,10 +136,7 @@ This topic explains how to:
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
**Note**  
You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
 
>**Note**&nbsp;&nbsp;You can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and then select either **Stop all applications** or **Stop this application only**.
12. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the App-V Sequencer console, where you can modify the package before saving it. Click **Next**.

64
windows/manage/appv-planning-for-using-appv-with-office.md
View File

@ -26,15 +26,14 @@ Use the following information to plan how to deploy Office by using Microsoft Ap
## <a href="" id="bkmk-lang-pack"></a>App-V support for Language Packs
You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group.
**Note**  
Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
 
## <a href="" id="bkmk-office-vers-supp-appv"></a>Supported versions of Microsoft Office
<!-- As of February 28, 2017, the first row of the table should be updated, because at that point, support for the Office 2013 version of Office 365 will end. It might also be good to have a link to this KB article: https://support.microsoft.com/kb/3199744 -->
The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments.
@ -55,7 +54,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Office 365 ProPlus</p>
<td align="left"><p>Office 365 ProPlus (either the Office 2013 or the Office 2016 version)</p>
<p>Also supported:</p>
<ul>
<li><p>Visio Pro for Office 365</p></li>
@ -71,6 +70,22 @@ The following table lists the versions of Microsoft Office that App-V supports,
</ul></td>
</tr>
<tr class="even">
<td align="left"><ul>
<li><p>Visio Professional 2016 (C2R-P)</p></li>
<li><p>Visio Standard 2016 (C2R-P)</p></li>
<li><p>Project Professional 2016 (C2R-P)</p></li>
<li><p>Project Standard 2016 (C2R-P)</p></li>
</ul></td>
<td align="left"><p>Office Deployment Tool</p></td>
<td align="left"><p>Volume Licensing</p></td>
<td align="left"><ul>
<li><p>Desktop</p></li>
<li><p>Personal VDI</p></li>
<li><p>Pooled VDI</p></li>
<li><p>RDS</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p>Office Professional Plus 2013</p>
<p>Also supported:</p>
<ul>
@ -89,12 +104,9 @@ The following table lists the versions of Microsoft Office that App-V supports,
</tbody>
</table>
 
## <a href="" id="bkmk-plan-coexisting"></a>Planning for using App-V with coexisting versions of Office
You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSi) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
You can install more than one version of Microsoft Office side by side on the same computer by using “Microsoft Office coexistence.” You can implement Office coexistence with combinations of all major versions of Office and with installation methods, as applicable, by using the Windows Installer-based (MSI) version of Office, Click-to-Run, and App-V. However, using Office coexistence is not recommended by Microsoft.
Microsofts recommended best practice is to avoid Office coexistence completely to prevent compatibility issues. However, when you are migrating to a newer version of Office, issues occasionally arise that cant be resolved immediately, so you can temporarily implement coexistence to help facilitate a faster migration to the latest product version. Using Office coexistence on a long-term basis is never recommended, and your organization should have a plan to fully transition in the immediate future.
@ -115,19 +127,22 @@ Before implementing Office coexistence, review the following Office documentatio
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Office 2016</p></td>
<td align="left"><p>[Information about how to use Outlook 2016 or 2013 and an earlier version of Outlook installed on the same computer](https://support.microsoft.com/kb/2782408)</p></td>
</tr>
<tr class="even">
<td align="left"><p>Office 2013</p></td>
<td align="left"><p>[Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td align="left"><p>Office 2010</p></td>
<td align="left"><p>[Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)</p></td>
</tr>
</tbody>
</table>
 
The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSI) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
### Supported Office coexistence scenarios
@ -166,11 +181,13 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
<td align="left"><p>Office 2013</p></td>
<td align="left"><p>Always integrated. Windows operating system integrations cannot be disabled.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Office 2016</p></td>
<td align="left"><p>Always integrated. Windows operating system integrations cannot be disabled.</p></td>
</tr>
</tbody>
</table>
 
Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if youre using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069).
### Known limitations of Office coexistence scenarios
@ -183,9 +200,9 @@ The following limitations can occur when you install the following versions of O
- Office 2010 by using the Windows Installer-based version
- Office 2013 by using App-V
- Office 2013 or Office 2016 by using App-V
After you publish Office 2013 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010 might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
After you publish Office 2013 or Office 2016 by using App-V side by side with an earlier version of the Windows Installer-based Office 2010, it might also cause the Windows Installer to start. This is because the Windows Installer-based or Click-to-Run version of Office 2010 is trying to automatically register itself to the computer.
To bypass the auto-registration operation for native Word 2010, follow these steps:
@ -215,12 +232,13 @@ To bypass the auto-registration operation for native Word 2010, follow these ste
8. On the File menu, click **Exit** to close Registry Editor.
## <a href="" id="bkmk-office-integration-win"></a>How Office integrates with Windows when you use App-V to deploy Office
When you deploy Office 2013 or Office 2016 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
When you deploy Office 2013 by using App-V, Office is fully integrated with the operating system, which provides end users with the same features and functionality as Office has when it is deployed without App-V.
The Office 2013 App-V package supports the following integration points with the Windows operating system:
The Office 2013 or Office 2016 App-V package supports the following integration points with the Windows operating system:
<table>
<colgroup>
@ -235,8 +253,8 @@ The Office 2013 App-V package supports the following integration points with the
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Lync meeting Join Plug-in for Firefox and Chrome</p></td>
<td align="left"><p>User can join Lync meetings from Firefox and Chrome</p></td>
<td align="left"><p>Skype for Business (formerly Lync) meeting Join Plug-in for Firefox and Chrome</p></td>
<td align="left"><p>User can join Skype meetings from Firefox and Chrome</p></td>
</tr>
<tr class="even">
<td align="left"><p>Sent to OneNote Print Driver</p></td>
@ -251,8 +269,8 @@ The Office 2013 App-V package supports the following integration points with the
<td align="left"><p>User can send to OneNote from IE</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
<td align="left"><p>Firewall Exception for Lync and Outlook</p></td>
<td align="left"><p>Firewall Exception for Skype for Business (formerly Lync) and Outlook</p></td>
<td align="left"><p>Firewall Exception for Skype for Business (formerly Lync) and Outlook</p></td>
</tr>
<tr class="even">
<td align="left"><p>MAPI Client</p></td>
@ -307,6 +325,6 @@ Add or vote on suggestions on the [Application Virtualization feedback site](htt
## Related topics
- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)