Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into edumaylaunch

devices/surface-hub/TOC.md

@@ -8,6 +8,7 @@
 ##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md)
 ##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md)
 ##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md)
+##### [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md)
 ##### [Create a device account using UI](create-a-device-account-using-office-365.md)
 ##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md)
 ##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md)

devices/surface-hub/change-history-surface-hub.md

@@ -14,6 +14,12 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## May 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md) | New |
+
 ## February 2017
 
 | New or changed topic | Description |

devices/surface-hub/create-and-test-a-device-account-surface-hub.md

@@ -49,6 +49,7 @@ For detailed steps using PowerShell to provision a device account, choose an opt
 | [On-premises deployment (single-forest)](on-premises-deployment-surface-hub-device-accounts.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a single-forest environment. |
 | [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Your organization has servers that it controls and uses to host Active Directory, Exchange, and Skype for Business (or Lync) in a multi-forest environment. |
 | [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Your organization has a mix of services, with some hosted on-premises and some hosted online through Office 365. |
+| [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md) | Your organization has Skype for Business home pools and Exchange servers in the cloud, and uses an on-premises pool of Skype for Business 2015 or Cloud Connector edition connected via Public Switched Telephone Network (PSTN). |
 
 
 If you prefer to use a graphical user interface (UI), some steps can be done using UI instead of PowerShell. 

devices/surface-hub/skype-hybrid-voice.md

@@ -0,0 +1,105 @@
+---
+title: Online or hybrid deployment using Skype Hybrid Voice environment  (Surface Hub)
+description: This topic explains how to enable Skype for Business Cloud PBX with on premises PSTN connectivity via Cloud Connector Edition or Skype for Business 2015 pool.
+keywords: hybrid deployment, Skype Hybrid Voice 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerMS
+localizationpriority: medium
+---
+
+# Online or hybrid deployment using Skype Hybrid Voice environment  (Surface Hub)
+
+This topic explains how to enable Skype for Business Cloud PBX with on-premises Public Switched Telephone Network (PSTN) connectivity via Cloud Connector Edition or Skype for Business 2015 pool. In this option. your Skype for Business home pools and Exchange servers are in the cloud, and are connected by PSTN via an on-premises pool running Skype for Business 2015 or Cloud Connector edition. [Learn more about different Cloud PBX options](https://technet.microsoft.com/library/mt612869.aspx).  
+
+If you deployed Skype for Business Cloud PBX with one of the hybrid voice options, follow the steps below to enable the room account for Surface Hub. It is important to create a regular user account first, assign all hybrid voice options and phone numbers, and then convert the account to a room account. If you do not follow this order, you will not be able to assign a hybrid phone number.  
+
+>[!WARNING]
+>If you create an account before configuration of Hybrid voice (you run Enable-CSMeetingRoom command), you will not be able to configure required hybrid voice parameters. In order to configure hybrid voice parameters for a previously configured account or to reconfigure a phone number, delete the E5 or E3  + Cloud PBX add-on license, and then follow the steps below, starting at step 3.
+
+1. Create a new user account for Surface Hub. This example uses **surfacehub2@adatum.com**. The account can be created in local Active Directory and synchronized to the cloud, or created directly in the cloud. 
+
+    ![new object user](images/new-user-hybrid-voice.png)
+
+2.	Select **Password Never Expires**. This is important for a Surface Hub device.
+
+    ![Password never expires](images/new-user-password-hybrid-voice.png)
+
+3.	In Office 365, add **E5** license or **E3 and Cloud PBX** add-on to the user account created for the room. This is required for Hybrid Voice to work.
+
+    ![Add product license](images/product-license-hybrid-voice.png)
+
+4.	Wait approximately 15 minutes until the user account for the room appears in Skype for Business Online.
+
+5.	After the user account for room is created in Skype for Business Online, enable it for Hybrid Voice in Skype for Business Remote PowerShell by running the following cmdlet:
+
+    ```
+    Set-csuser surfacehub2@adatum.com EnterpriseVoiceEnabled $true -HostedVoiceMail $true -onpremlineuri tel:+15005000102
+    ```
+    
+6.	Validate Hybrid Voice call flow by placing test calls from the Surface Hub.
+
+7.	Start a remote PowerShell session on a PC and connect to Exchange by running the following cmdlets.
+
+    ```
+    Set-ExecutionPolicy Unrestricted
+    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
+    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+    Import-PSSession $sess
+    ```
+    
+8.	After establishing a session, modify the user account for the room to enable it as a **RoomMailboxAccount** by running the following cmdlets. This allows the account to authenticate with Surface Hub.
+
+    ```
+    Set-Mailbox surfacehub2@adatum.com -Type Room
+    Set-Mailbox surfacehub2@adatum.com -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String <password> -AsPlainText -Force)
+    ```
+    
+9.	After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+
+    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+    
+    If you haven’t created a compatible policy yet, use the following cmdlet (this one creates a policy called "Surface Hubs"). After it’s created, you can apply the same policy to other device accounts.
+
+    ```
+    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+    ```
+    
+    After you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. Run the following cmdlets to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox (you may need to re-enable the account and set the password again).
+    
+    ```
+    Set-Mailbox surfacehub2@adatum.com -Type Regular
+    Set-CASMailbox surfacehub2@adatum.com -ActiveSyncMailboxPolicy $easPolicy.id
+    Set-Mailbox surfacehub2@adatum.com -Type Room
+    $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
+    Set-Mailbox surfacehub2@adatum.com -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+    ```
+    
+10.	Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties can be set in [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md). The following cmdlets provide an example of setting Exchange properties.
+
+    ```
+    Set-CalendarProcessing surfacehub2@adatum.com -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+    Set-CalendarProcessing surfacehub2@adatum.com -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+    ```
+
+11.	Enable the mailbox as a meeting device in Skype for Business Online. Run the following cmdlet which enables the acount as a meeting device. 
+
+    ```
+    Get-CsTenant | select registrarpool
+    Enable-CsMeetingRoom surfacehub2@adatum.com -RegistrarPool  'sippoolbl20a04.infra.lync.com' -SipAddressType UserPrincipalName
+    ```
+    
+    As a result of running this cmdlet, users will be asked if they are in a meeting room, as shown in the following image. **Yes** will mute the microphone and speaker.
+
+    ![](images/adjust-room-audio.png)
+
+
+    
+At this moment the room account is fully configured, including Hybrid Voice. If you use Skype on-premises, you can configure additional attributes, like description, location, etc., on-premises. If you create a room in Skype Online, these parameters can be set online. 
+
+In the following image, you can see how the device appears to users.
+
+
+![](images/select-room-hybrid-voice.png)

devices/surface/manage-surface-dock-firmware-updates.md

@@ -87,7 +87,7 @@ For more information about how to deploy MSI packages see [Create and deploy an
 
 >[!NOTE]
 >When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in:
-> **HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
+> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters**
 
 Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset:
 

mdop/medv-v2/windows-virtual-pc-application-exclude-list.md

@@ -15,7 +15,7 @@ ms.prod: w7
 
 In some instances, you might not want applications that are installed in the MED-V workspace to be published to the host computer **Start** menu. You can unpublish these applications by following the instructions at [How to Publish and Unpublish an Application on the MED-V Workspace](how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md). However, if the program ever automatically updates, it might also be automatically republished. This causes you to have to unpublish the application again.
 
-Windows Virtual PC includes a feature known as the "Exclude List" that lets you specify certain installed applications that you do not want published to the host **Start** menu. The "Exclude List" is located in the guest registry in the HLKM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Virtual Machine\\VPCVAppExcludeList key and lists those applications that are not published to the host **Start** menu. You can think of the “Exclude List” as permanently unpublishing the specified applications because any automatic updates to the applications that are listed will not cause them to be automatically republished.
+Windows Virtual PC includes a feature known as the "Exclude List" that lets you specify certain installed applications that you do not want published to the host **Start** menu. The "Exclude List" is located in the guest registry in the HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Virtual Machine\\VPCVAppExcludeList key and lists those applications that are not published to the host **Start** menu. You can think of the “Exclude List” as permanently unpublishing the specified applications because any automatic updates to the applications that are listed will not cause them to be automatically republished.
 
 ## Managing Applications by Using the Exclude List in Windows Virtual PC
 

windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -1,5 +1,5 @@
 ---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+title: Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune (Windows 10)
 description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
 ms.prod: w10
@@ -10,7 +10,7 @@ author: eross-msft
 localizationpriority: high
 ---
 
-# Create a Windows Information Protection (WIP) policy using Microsoft Intune
+# Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune
 
 **Applies to:**
 
@@ -19,13 +19,16 @@ localizationpriority: high
 
 Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
 
+>[!Important]
+>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic.
+
 ## Add a WIP policy
 After you’ve set up Intune for your organization, you must create a WIP-specific policy.
 
 **To add a WIP policy**
 1.  Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
 
-    ![Microsoft Azure Intune management console: App policy link](images/wip-azure-portal-start.png)
+    ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png)
 
 2.  In the **App policy** screen, click **Add a policy**, and then fill out the fields:
     - **Name.** Type a name (required) for your new policy.
@@ -36,7 +39,10 @@ After you’ve set up Intune for your organization, you must create a WIP-specif
 
     - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
 
-        ![Microsoft Azure Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
+        ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
+
+        >[!Important]
+        >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead.
 
 3.  Click **Create**.
     
@@ -53,7 +59,6 @@ The steps to add your apps are based on the type of template being applied. You
 >[!Important]
 >WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
 
-
 #### Add a Recommended app to your Allowed apps list
 For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
 
@@ -62,19 +67,19 @@ For this example, we’re going to add Microsoft Edge, a recommended app, to the
     
     The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
 
-    ![Microsoft Azure Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
+    ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
 
 2.  From the **Allowed apps** blade, click **Add apps**.
     
     The **Add apps** blade appears, showing you all **Recommended apps**.
 
-    ![Microsoft Azure Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
+    ![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
 
 3.  Select each app you want to access your enterprise data, and then click **OK**.
     
     The **Allowed apps** blade updates to show you your selected apps.
 
-    ![Microsoft Azure Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)    
+    ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)    
 
 #### Add a Store app to your Allowed apps list
 For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
@@ -97,7 +102,7 @@ For this example, we’re going to add Microsoft Power BI, a store app, to the *
     >[!NOTE]
     >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
 
-    ![Microsoft Azure Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
+    ![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
 
 If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
 
@@ -200,7 +205,7 @@ For this example, we’re going to add WordPad, a desktop app, to the **Allowed
     >[!Note]
     >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**.
 
-    ![Microsoft Azure Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
+    ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
 
     **To find the Publisher values for Desktop apps**
     If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -301,7 +306,7 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap
     
     The blade changes to let you add your import file.
     
-    ![Microsoft Azure Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
+    ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
 
 2.	Browse to your exported AppLocker policy file, and then click **Open**.
 
@@ -343,7 +348,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
     
     The **Required settings** blade appears.
 
-    ![Microsoft Azure Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
+    ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
 
     |Mode |Description |
     |-----|------------|
@@ -367,7 +372,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 
 2.	If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
 
-    ![Microsoft Azure Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
+    ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
 
 ### Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@@ -387,7 +392,7 @@ There are no default locations included with WIP, you must add each of your netw
 
     The **Add network boundary** blade appears.
 
-    ![Microsoft Azure Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
+    ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
 
 3.	Select the type of network boundary to add from the **Boundary type** box.
 
@@ -440,7 +445,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 6.	Decide if you want to Windows to look for additional network settings:
 
-    ![Microsoft Azure Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
+    ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
 
     - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
 
@@ -459,7 +464,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to
 
 2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-    ![Microsoft Azure Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
+    ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
 
 ### Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
@@ -468,7 +473,7 @@ After you've decided where your protected apps can access enterprise data on you
 
 1.	Choose to set any or all optional settings:
 
-    ![Microsoft Azure Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
+    ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
     
     - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
         
@@ -505,11 +510,21 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
 
 ## Related topics
-- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
-- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
 - [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
 
+- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
+
+- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
+
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+
+- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+
+- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
+
+
+
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).