deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into tvm-event-insights

Browse Source
This commit is contained in:
Beth Levin 2020-06-15 12:01:15 -07:00
commit fef5a5d530
301 changed files with 7289 additions and 2496 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.acrolinx-config.edn
View File

@ -1,5 +1,8 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows/"]
:guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific"
:acrolinx-check-settings
{
"languageId" "en"
@ -33,6 +36,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr
"
**More info about Acrolinx**
You are helping M365 test Acrolinx while we merge to the Microsoft instance. We have set the minimum score to 20 to test that the minimum score script works. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact krowley or go directly to the marveldocs-admins. Thanks for your patience while we continue with roll out!
We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps.
"
}

BIN
.openpublishing.redirection.json
View File

Binary file not shown.

1
browsers/internet-explorer/TOC.md
View File

@ -188,5 +188,4 @@
### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
## KB Troubleshoot
### [Clear the Internet Explorer cache from a command line](kb-support/clear-ie-cache-from-command-line.md)
### [Internet Explorer and Microsoft Edge FAQ for IT Pros](kb-support/ie-edge-faqs.md)

2
browsers/internet-explorer/kb-support/ie-edge-faqs.md
View File

@ -1,6 +1,6 @@
---
title: IE and Microsoft Edge FAQ for IT Pros
description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals.
audience: ITPro
manager: msmets
author: ramakoni1

8
devices/hololens/change-history-hololens.md
View File

@ -17,6 +17,14 @@ ms.localizationpriority: medium
This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
## Windows 10 Holographic, version 2004
The topics in this library have been updated for Windows 10 Holographic, version 2004.
## HoloLens 2
The topics in this library have been updated for HoloLens 2 and Windows 10 Holographic, version 1903.
## April 2019
New or changed topic | Description

8
devices/hololens/holographic-photos-and-videos.md
View File

@ -44,7 +44,9 @@ To take a quick photo of your current view, press the volume up and volume down
### Voice commands to take photos
Cortana can also take a picture. Say: "Hey Cortana, take a picture."
On HoloLens 2, version 2004 (and later), say: "Take a picture."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, take a picture."
### Start menu to take photos
@ -67,7 +69,9 @@ The quickest way to record a video is to press and hold the **volume up** and **
### Voice to record videos
Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording."
On HoloLens 2, version 2004 (and later), say: "Start recording." To stop recording, say "Stop recording."
On HoloLens (1st gen) or HoloLens 2, version 1903, say: "Hey Cortana, start recording." To stop recording, say "Hey Cortana, stop recording."
### Start menu to record videos

12
devices/hololens/hololens-faq-security.md
View File

@ -34,7 +34,7 @@ appliesto:
1. **What frequency range and channels does the device operate on and is it configurable?**
1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
1. **Can the device blacklist or white list specific frequencies?**
1. **Can the device allow or block specific frequencies?**
1. This is not controllable by the user/device
1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
@ -63,9 +63,9 @@ appliesto:
1. Yes
1. **Is there an ability to control or disable the use of ports on the device?**
1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
1. **Antivirus, end point detection, IPS, app control whitelist Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
1. **Antivirus, end point detection, IPS, app control allow list Any ability to run antivirus, end point detection, IPS, app control allow list, etc.**
1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
@ -85,7 +85,7 @@ appliesto:
1. C3K1855
1. **What frequency range and channels does the device operate on and is it configurable?**
1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
1. **Can the device blacklist or white list specific frequencies?**
1. **Can the device allow or block specific frequencies?**
1. This is not controllable by the user/device
1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules.
@ -113,9 +113,9 @@ appliesto:
1. Yes
1. **Is there an ability to control or disable the use of ports on the device?**
1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
1. **Antivirus, end point detection, IPS, app control whitelist Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
1. **Antivirus, end point detection, IPS, app control allow Any ability to run antivirus, end point detection, IPS, app control allow, etc.**
1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. Allowing apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**

2
devices/hololens/hololens-multiple-users.md
View File

@ -37,7 +37,7 @@ To use HoloLens, each user follows these steps:
1. If another user has been using the device, do one of the following:
- Press the power button once to go to standby, and then press the power button again to return to the lock screen
- HoloLens 2 users may select the user tile on the top of the Pins panel to sign out the current user.
- HoloLens 2 users may select the user tile from the Start menu to sign out the current user.
1. Use your Azure AD account credentials to sign in to the device.
If this is the first time that you have used the device, you have to [calibrate](hololens-calibration.md) HoloLens to your own eyes.

2
devices/hololens/hololens-offline.md
View File

@ -22,7 +22,7 @@ appliesto:
# Manage connection endpoints for HoloLens
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional.
Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be allowed in your network configuration (e.g. proxy or firewall) for those components to be functional.
## Near-offline setup

46
devices/hololens/hololens-release-notes.md
View File

@ -8,7 +8,7 @@ ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/12/2020
ms.date: 06/9/2020
ms.custom:
- CI 111456
- CSSTroubleshooting
@ -20,6 +20,48 @@ appliesto:
# HoloLens 2 release notes
## Windows Holographic, version 2004 - June 2020 Update
- Build 19041.1106
Improvements and fixes in the update:
- Custom MRC recorders have new default values for certain properties if they aren't specified.
- On the MRC Video Effect:
- PreferredHologramPerspective (1 PhotoVideoCamera)
- GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
- On the MRC Audio Effect:
- LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- This update contains a bug fix that improves audio quality in Mixed Reality Capture scenarios. Specifically, it should eliminate any audio glitching in the recording when the Start Menu is displayed.
- Improved hologram stability in recorded videos.
- Resolves an issue where mixed reality capture couldn't record video after device is left in standby state for multiple days.
- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
- When accessing Device Portal over a WiFi connection, a web browser might prevent access to due to an invalid certificate, reporting an error such as "ERR_SSL_PROTOCOL_ERROR," even if the device certificate has previously been trusted. In this case, you would be unable to progress to Device Portal as options to ignore security warnings are not available. This update resolves the issue. If the device certificate was previously downloaded and trusted on a PC to remove browser security warnings and the SSL error has been encountered, the new certificate will need to be downloaded and trusted to address browser security warnings.
- Enabled ability to create a runtime provisioning package which can install an app using MSIX packages.
- New setting that users can find under Settings > System > Holograms, that allows users to automatically remove all holograms from the mixed reality home when the device shuts down.
- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
- Fixed bug that caused a crash during Iris Login.
- Fixes an issue around repeated store downloads for already current apps.
- Fixed a bug to preventing immersive apps from launching Edge multiple times.
- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
- Improved performance and reliability.
## Windows Holographic, version 1903 - June 2020 Update
- Build 18362.1064
Improvements and fixes in the update:
- Custom MRC recorders have new default values for certain properties if they aren't specified.
- On the MRC Video Effect:
- PreferredHologramPerspective (1 PhotoVideoCamera)
- GlobalOpacityCoefficient (0.9 (HoloLens) 1.0 (Immersive headset))
- On the MRC Audio Effect:
- LoopbackGain (the current "App Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- MicrophoneGain (the current "Mic Audio Gain" value on the Mixed Reality Capture page in Windows Device Portal)
- The HolographicSpace.UserPresence API is generally disabled for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. The API is now enabled for Unity versions 2018.4.18 and higher, and 2019.3.4 and higher.
- Fixed an issue that caused HoloLens apps that change their pixel format to render black in the HoloLens emulator.
- Fixes an issue around launches of the Photos app in initial boots after updating from the 1903 release.
## Windows Holographic, version 2004
Build - 19041.1103
@ -32,7 +74,7 @@ We are excited to announce our May 2020 major software update for HoloLens 2, **
| Improved provisioning | Seamlessly apply a provisioning package from a USB drive to your HoloLens |
| Application install status | Check install status for apps have been pushed to HoloLens 2 via MDM, in the Settings app |
| Configuration Service Providers (CSPs) | Added new Configuration Service Providers (CSPs) enhancing admin control capabilities. |
| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE dongles |
| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE |
| Dark App Mode | Dark App Mode for apps that support both dark and light modes, improving the viewing experience |
| Voice Commands | Support for additional system voice commands to control HoloLens, hands-free |
| Hand Tracking improvements | Hand Tracking improvements make buttons and 2D slate interactions more accurate |

2
devices/hololens/hololens-requirements.md
View File

@ -23,7 +23,7 @@ This document also assumes that the HoloLens has been evaluated by security team
1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
1. [Determine what licenses you need](hololens-licenses-requirements.md)
1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
1. This section includes bandwidth requirements, URL, and ports that need to be allowed on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
1. [Enroll Device](hololens-enroll-mdm.md)
1. [Set up ring based updates for HoloLens](hololens-updates.md)

3
devices/hololens/hololens1-upgrade-enterprise.md
View File

@ -16,6 +16,9 @@ appliesto:
# Unlock Windows Holographic for Business features
> [!IMPORTANT]
> This page only applies to HoloLens 1st Gen.
Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 that is designed for HoloLens), and in the [Commercial Suite](hololens-commercial-features.md), which provides extra features designed for business.
When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. You can apply this license to the device either by using the organization's [mobile device management (MDM) provider](#edition-upgrade-by-using-mdm) or a [provisioning package](#edition-upgrade-by-using-a-provisioning-package).

7
devices/hololens/hololens2-autopilot.md
View File

@ -71,10 +71,9 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows
Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
- Advanced Recovery Companion (ARC)
- The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
- Every device can connect to the internet. You can use "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity.
- Every device can connect to a computer by using a USB-C cable, and that computer has [Advanced Recovery Companion (ARC)](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?rtc=1&activetab=pivot:overviewtab) installed
- Every device has the latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version.
To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

1
devices/surface-hub/TOC.md
View File

@ -32,6 +32,7 @@
### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)
### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md)
### [Create Surface Hub 2S on-premises accounts with PowerShell](surface-hub-2s-onprem-powershell.md)
### [Surface Hub Teams app](hub-teams-app.md)
## Manage
### [Manage Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)

4
devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
View File

@ -21,10 +21,10 @@ The Microsoft Surface Hub's device account uses ActiveSync to sync mail and cale
For these features to work, the ActiveSync policies for your organization must be configured as follows:
- There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hubs device account. If there is such a blocking policy, you need to whitelist the Surface Hub as an allowed device.
- There can't be any global policies that block synchronization of the resource mailbox that's being used by the Surface Hubs device account. If there is such a blocking policy, you need to add the Surface Hub as an allowed device.
- You must set a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Other mobile device mailbox policy settings are not compatible with the Surface Hub.
## Whitelisting the DeviceID
## Allowing the DeviceID
Your organization may have a global policy that prevents syncing of device accounts provisioned on Surface Hubs. To configure this property, see [Allowing device IDs for ActiveSync](appendix-a-powershell-scripts-for-surface-hub.md#whitelisting-device-ids-cmdlet).

2
devices/surface-hub/create-and-test-a-device-account-surface-hub.md
View File

@ -38,7 +38,7 @@ This table explains the main steps and configuration decisions when you create a
| 2 | Configure mailbox properties | The mailbox must be configured with the correct properties to enable the best meeting experience on Surface Hub. For more information on mailbox properties, see [Mailbox properties](exchange-properties-for-surface-hub-device-accounts.md). |
| 3 | Apply a compatible mobile device mailbox policy to the mailbox | Surface Hub is managed using mobile device management (MDM) rather than through mobile device mailbox policies. For compatibility, the device account must have a mobile device mailbox policy where the **PasswordEnabled** setting is set to False. Otherwise, Surface Hub can't sync mail and calendar info. |
| 4 | Enable mailbox with Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business must be enabled to use conferencing features like video calls, IM, and screen sharing. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to whitelist the ActiveSync Device ID of your Surface Hub. |
| 5 | (Optional) Whitelist ActiveSync Device ID | Your organization may have a global policy that prevents device accounts from syncing mail and calendar info. If so, you need to allow the ActiveSync Device ID of your Surface Hub. |
| 6 | (Optional) Disable password expiration | To simplify management, you can turn off password expiration for the device account and allow Surface Hub to automatically rotate the device account password. For more information about password management, see [Password management](password-management-for-surface-hub-device-accounts.md). |
## Detailed configuration steps

23
devices/surface-hub/hub-teams-app.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Microsoft Teams app for Surface Hub
description: Provides a version history of updates for the Microsoft Teams app for Surface Hub
keywords: surface, hub,
ms.prod: surface-hub
ms.sitesec: library
author: greglin
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
---
# Microsoft Teams app for Surface Hub
The Microsoft Teams app for Surface Hub is periodically updated and available via the [Microsoft Store](https://www.microsoft.com/store/apps/windows). If you manage Surface Hub with Automatic Updates enabled (default setting), the app will update automatically.
## Version history
| Store app version | Updates | Published to Microsoft Store |
| --------------------- | --------------------------------------------------------------------------------------------------- | -------------------------------- |
| 0.2020.13201.0 | - 3x3 Gallery view on Surface Hub<br>- Ability to search for External users | June 10, 2020<br> **** |
| 0.2020.13201 | - Quality improvements and Bug fixes | June 1, 2020<br> **** |
| 0.2020.4301.0 | - Accept incoming PSTN calls on Surface Hub<br>- Added controls for Attendee/Presenter role changes | May 21, 2020 |

12
devices/surface-hub/local-management-surface-hub-settings.md
View File

@ -40,12 +40,12 @@ Surface Hubs have many settings that are common to other Windows devices, but al
| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. |
| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. |
| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. |
| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. |
| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. |
| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. |
| Session timeout to Welcome screen | Surface Hub > Session & power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. |
| Resume session | Surface Hub > Session & power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. |
| Access to Office 365 meetings and files | Surface Hub > Session & power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. |
| Turn on screen with motion sensors | Surface Hub > Session & power | Choose whether the screen turns on when motion is detected. |
| Screen time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before turning off the screen. |
| Sleep time out | Surface Hub > Session & power | Choose how long the device needs to be inactive before going to sleep mode. |
| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. |
| Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. |
| Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. |

2
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -415,7 +415,7 @@ Possible fixes for issues with Surface Hub first-run program.
<td align="left"><p>Can't sync mail/calendar.</p></td>
<td align="left"><p>The account has not allowed the Surface Hub as an allowed device.</p></td>
<td align="left"><p>0x86000C1C</p></td>
<td align="left"><p>Add the Surface Hub device ID to the whitelist by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
<td align="left"><p>Add the Surface Hub device ID to the allowed list by setting the <strong>ActiveSyncAllowedDeviceIds</strong> property for the mailbox.</p></td>
</tr>
</tbody>
</table>

4
devices/surface/TOC.md
View File

@ -51,16 +51,18 @@
### [Surface Brightness Control](microsoft-surface-brightness-control.md)
### [Surface Asset Tag](assettag.md)
## Secure
### [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md)
### [Manage Surface UEFI settings](manage-surface-uefi-settings.md)
### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
### [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
### [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)
### [Use Microsoft Endpoint Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md)
### [Surface Data Eraser](microsoft-surface-data-eraser.md)
### [Surface DMA Protection](dma-protect.md)
## Troubleshoot
### [Top support solutions for Surface devices](support-solutions-surface.md)

22
devices/surface/dma-protect.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Surface DMA Protection
description: This article describes DMA protection on compatible Surface devices
ms.prod: w10
ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
author: coveminer
ms.author: greglin
ms.topic: article
ms.date: 6/10/2020
ms.reviewer: carlol
manager: laurawi
audience: itpro
---
# DMA Protection on Surface devices
Direct Memory Access (DMA) protection is designed to mitigate potential security vulnerabilities associated with using removable SSDs or external storage devices. Newer Surface devices come with DMA Protection enabled by default. These include Surface Pro 7, Surface Laptop 3, and Surface Pro X. To check the presence of DMA protection feature on your device, open System Information (**Start** > **msinfo32.exe**), as shown in the figure below.
![System information showing DMA Protection enabled](images/systeminfodma.png)
If a Surface removable SSD is tampered with, the device will shutoff power. The resulting reboot causes UEFI to wipe memory, to erase any residual data.

23
devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md
View File

@ -97,6 +97,29 @@ To support Surface Laptop 3 with Intel Processor, import the following folders:
- SurfaceUpdate\SurfaceSerialHub
- SurfaceUpdate\SurfaceHotPlug
- SurfaceUpdate\Itouch
Importing the following folders will enable full keyboard, trackpad, and touch functionality in PE for Surface Laptop 3.
- IclSerialIOGPIO
- IclSerialIOI2C
- IclSerialIOSPI
- IclSerialIOUART
- itouch
- IclChipset
- IclChipsetLPSS
- IclChipsetNorthpeak
- ManagementEngine
- SurfaceAcpiNotify
- SurfaceBattery
- SurfaceDockIntegration
- SurfaceHidMini
- SurfaceHotPlug
- SurfaceIntegration
- SurfaceSerialHub
- SurfaceService
- SurfaceStorageFwUpdate
> [!NOTE]
> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released.

4
devices/surface/get-started.yml
View File

@ -72,10 +72,10 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
url: secure-surface-dock-ports-semm.md
- text: Intune management of Surface UEFI settings
url: surface-manage-dfci-guide.md
- text: Surface Enterprise Management Mode (SEMM)
url: surface-enterprise-management-mode.md
- text: Surface Data Eraser tool
url: microsoft-surface-data-eraser.md

BIN
devices/surface/images/secure-surface-dock-ports-semm-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
devices/surface/images/secure-surface-dock-ports-semm-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
devices/surface/images/systeminfodma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

6
devices/surface/manage-surface-driver-and-firmware-updates.md
View File

@ -35,7 +35,7 @@ Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Su
For detailed steps, see the following resources:
- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md)
- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
@ -142,8 +142,8 @@ This file name provides the following information:
## Learn more
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
- [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
- [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit)

168
devices/surface/secure-surface-dock-ports-semm.md Normal file
View File

@ -0,0 +1,168 @@
---
title: Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
description: This document provides guidance for configuring UEFI port settings for Surface Dock 2 when connected to compatible Surface devices including Surface Book 3, Surface Laptop 3, and Surface Pro 7.
ms.assetid: 2808a8be-e2d4-4cb6-bd53-9d10c0d3e1d6
ms.reviewer:
manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: w10
ms.mktglfcycl: support
ms.sitesec: library
ms.pagetype: surfacehub
author: v-miegge
ms.author: jesko
ms.topic: article
ms.date: 06/08/2020
ms.localizationpriority: medium
ms.audience: itpro
---
# Secure Surface Dock 2 ports with Surface Enterprise Management Mode (SEMM)
## Introduction
Surface Enterprise Management Mode (SEMM) enables IT admins to secure and manage Surface Dock 2 ports by configuring UEFI settings in a Windows installer configuration package (.MSI file) deployed to compatible Surface devices across a corporate environment.
### Supported devices
Managing Surface Dock 2 with SEMM is available for docks connected to Surface Book 3, Surface Laptop 3, and Surface Pro 7. These compatible Surface devices are commonly referred to as **host devices**. A package is applied to host devices based on if a host device is **authenticated** or **unauthenticated**. Configured settings reside in the UEFI layer on host devices enabling you — the IT admin — to manage Surface Dock 2 just like any other built-in peripheral such as the camera.
>[!NOTE]
>You can manage Surface Dock 2 ports only when the dock is connected to one of the following compatible devices: Surface Book 3, Surface Laptop 3, and Surface Pro 7. Any device that doesn't receive the UEFI Authenticated policy settings is inherently an unauthenticated device.
### Scenarios
Restricting Surface Dock 2 to authorized persons signed into a corporate host device provides another layer of data protection. This ability to lock down Surface Dock 2 is critical for specific customers in highly secure environments who want the functionality and productivity benefits of the dock while maintaining compliance with strict security protocols. We anticipate SEMM used with Surface Dock 2 will be particularly useful in open offices and shared spaces especially for customers who want to lock USB ports for security reasons. For a video demo, check out [SEMM for Surface Dock 2](https://youtu.be/VLV19ISvq_s).
## Configuring and deploying UEFI settings for Surface Dock 2
This section provides step-by-step guidance for the following tasks:
1. Install [**Surface UEFI Configurator**](https://www.microsoft.com/download/details.aspx?id=46703).
1. Create or obtain public key certificates.
1. Create an .MSI configuration package.
1. Add your certificates.
1. Enter the 16-digit RN number for your Surface Dock 2 devices.
1. Configure UEFI settings.
1. Build and apply the configuration package to targeted Surface devices (Surface Book 3, Surface Laptop 3, or Surface Pro 7.)
>[!NOTE]
>The **Random Number (RN)** is a unique 16-digit hex code identifier which is provisioned at the factory, and printed in small type on the underside of the dock. The RN differs from most serial numbers in that it can't be read electronically. This ensures proof of ownership is primarily established only by reading the RN when physically accessing the device. The RN may also be obtained during the purchase transaction and is recorded in Microsoft inventory systems.
### Install SEMM and Surface UEFI Configurator
Install SEMM by running **SurfaceUEFI_Configurator_v2.71.139.0.msi**. This is a standalone installer and contains everything you need to create and distribute configuration packages for Surface Dock 2.
- Download **Surface UEFI Configurator** from [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
## Create public key certificates
This section provides specifications for creating the certificates needed to manage ports for Surface Dock 2.
### Prerequisites
This article assumes that you either obtain certificates from a third-party provider or you already have expertise in PKI certificate services and know how to create your own. You should be familiar with and follow the general recommendations for creating certificates as described in [Surface Enterprise Management Mode (SEMM)](https://docs.microsoft.com/surface/surface-enterprise-management-mode) documentation, with one exception. The certificates documented on this page require expiration terms of 30 years for the **Dock Certificate Authority**, and 20 years for the **Host Authentication Certificate**.
For more information, see [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture) documentation and review the appropriate chapters in [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277), or [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788) available from Microsoft Press.
### Root and host certificate requirements
Prior to creating the configuration package, you need to prepare public key certificates that authenticate ownership of Surface Dock 2 and facilitate any subsequent changes in ownership during the device lifecycle. The host and provisioning certificates require entering EKU IDs otherwise known as **Client Authentication Enhanced Key Usage (EKU) object identifiers (OIDs)**.
The required EKU values are listed in Table 1 and Table 2.
#### Table 1. Root and Dock Certificate requirements
|Certificate|Algorithm|Description|Expiration|EKU OID|
|---|---|---|---|---|
|Root Certificate Authority|ECDSA_P384|- Root certificate with 384-bit prime elliptic curve digital signature algorithm (ECDSA)<br>- SHA 256 Key Usage:<br>CERT_DIGITAL_SIGNATURE_KEY_USAGE<br>- CERT_KEY_CERT_SIGN_KEY_USAGE<br>CERT_CRL_SIGN_KEY_USAGE|30 years|N/A
|Dock Certificate Authority|ECC P256 curve|- Host certificate with 256-bit elliptic-curve cryptography (ECC)<br>- SHA 256 Key Usage:<br>CERT_KEY_CERT_SIGN_KEY_USAGE<br>- Path Length Constraint = 0|20 years|1.3.6.1.4.1.311.76.9.21.2<br>1.3.6.1.4.1.311.76.9.21.3|
>[!NOTE]
>The dock CA must be exported as a .p7b file.
### Provisioning Administration Certificate requirements
Each host device must have the doc CA and two certificates as shown in Table 2.
#### Table 2. Provisioning administration certificate requirements
|Certificate|Algorithm|Description|EKU OID|
|---|---|---|---|
|Host authentication certificate|ECC P256<br>SHA 256|Proves the identity of the host device.|1.3.6.1.4.1.311.76.9.21.2|
|Provisioning administration certificate|ECC P256<br>SHA256|Enables you to change dock ownership and/or policy settings by allowing you to replace the CA that's currently installed on the dock.|1.3.6.1.4.1.311.76.9.21.3<br>1.3.6.1.4.1.311.76.9.21.4|
>[!NOTE]
>The host authentication and provisioning certificates must be exported as .pfx files.
### Create configuration package
When you have obtained or created the certificates, youre ready to build the MSI configuration package that will be applied to target Surface devices.
1. Run Surface **UEFI Configurator**.
![Run Surface UEFI Configurator](images/secure-surface-dock-ports-semm-1.png)
1. Select **Surface Dock**.
![Select Surface Dock](images/secure-surface-dock-ports-semm-2.png)
1. On the certificate page, enter the appropriate **certificates**.
![enter the appropriate certificates](images/secure-surface-dock-ports-semm-3.png)
1. Add appropriate dock RNs to the list.
>[!NOTE]
>When creating a configuration package for multiple Surface Dock 2 devices, instead of entering each RN manually, you can use a .csv file that contains a list of RNs.
1. Specify your policy settings for USB data, Ethernet, and Audio ports. UEFI Configurator lets you configure policy settings for authenticated users (Authenticated Policy) and unauthenticated users (Unauthenticated Policy). The following figure shows port access turned on for authenticated users and turned off for unauthenticated users.
![Choose which components you want to activate or deactivate.](images/secure-surface-dock-ports-semm-4.png)
- Authenticated user refers to a Surface Device that has the appropriate certificates installed, as configured in the .MSI configuration package that you applied to target devices. It applies to any user authenticated user who signs into the device.
- Unauthenticated user refers to any other device.
- Select **Reset** to create a special “Reset” package that will remove any previous configuration package that the dock had accepted.
1. Select **Build** to create the package as specified.
### Apply the configuration package to a Surface Dock 2
1. Take the MSI file that the Surface UEFI Configurator generated and install it on a Surface host device. Compatible host devices are Surface Book 3, Surface Laptop 3, or Surface Pro 7.
1. Connect the host device to the Surface Dock 2. When you connect the dock UEFI policy settings are applied.
## Verify managed state using the Surface App
Once you have applied the configuration package, you can quickly verify the resultant policy state of the dock directly from the Surface App, installed by default on all Surface devices. If Surface App isn't present on the device, you can download and install it from the Microsoft Store.
### Test scenario
Objective: Configure policy settings to allow port access by authenticated users only.
1. Turn on all ports for authenticated users and turn them off for unauthenticated users.
![Enabling ports for authenticated users](images/secure-surface-dock-ports-semm-4.png)
1. Apply the configuration package to your target device and then connect Surface Dock 2.
1. Open **Surface App** and select **Surface Dock** to view the resultant policy state of your Surface Dock. If the policy settings are applied, Surface App will indicate that ports are available.
![Surface app shows all ports are available for authenticated users](images/secure-surface-dock-ports-semm-5.png)
1. Now you need to verify that the policy settings have successfully turned off all ports for unauthenticated users. Connect Surface Dock 2 to an unmanaged device, i.e., any Surface device outside the scope of management for the configuration package you created.
1. Open **Surface App** and select **Surface Dock**. The resultant policy state will indicate ports are turned off.
![Surface app showing ports turned off for unauthenticated users ](images/secure-surface-dock-ports-semm-6.png)
>[!NOTE]
>If you want to keep ownership of the device, but allow all users full access, you can make a new package with everything turned on. If you wish to completely remove the restrictions and ownership of the device (make it unmanaged), select **Reset** in Surface UEFI Configurator to create a package to apply to target devices.
Congratulations. You have successfully managed Surface Dock 2 ports on targeted host devices.
## Learn more
- [Surface Enterprise Management Mode (SEMM) documentation](https://docs.microsoft.com/surface/surface-enterprise-management-mode)
- [Certificate Services Architecture](https://docs.microsoft.com/windows/win32/seccrypto/certificate-services-architecture)
- [Windows Server 2019 Inside Out](https://www.microsoftpressstore.com/store/windows-server-2019-inside-out-9780135492277)
- [Windows Server 2008 PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788)

48
devices/surface/surface-book-quadro.md
View File

@ -15,29 +15,29 @@ audience: itpro
---
# Surface Book 3 Quadro RTX 3000 technical overview
Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3:
- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing.
- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI.
- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory.
## Enterprise grade solution
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance.
Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional-grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs, providing an additional layer of quality assurance to validate stability, reliability, and performance.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems, and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man-days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update.
## Built for compute-intensive workloads
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere.
- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan.
- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes.
- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Software developers across manufacturing, media and entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs.
- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research.
@ -45,14 +45,14 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
| **Component** | **Description** |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. |
| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. |
| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. |
| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain the best application performance. |
| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer, making it the ideal platform for handling large datasets and latency-sensitive applications. |
| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. |
| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. |
| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. |
| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. |
| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. |
@ -86,7 +86,7 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of an
## App acceleration
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020.
The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing the Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus the Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in the market as of March 2020.
**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000**
@ -95,23 +95,23 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. |
| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. |
| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows. <br> |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers<br>- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray that is compatible with MDL.<br>- DXR-accelerated light and ambient occlusion baking. |
| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, and perspective warp enable photographers and designers to modify images smoothly and quickly. |
| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.<br>- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.<br>- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. |
| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Adobe<br>Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU.<br>- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.<br>- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. |
| Autodesk<br>Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.<br>- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.<br>- RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- More than 70 percent faster compared with Surface Book 2 15”. |
| Autodesk<br>Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.<br>- OpenGL Viewport Acceleration. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15” |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15. |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. |
| Dassault Systemes<br>Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.<br>- Runs more than 50% faster compared with Surface Book 2 15”. |
| Dassault Systemes<br>3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.<br>- Catia runs more than 100% faster compared with Surface Book 2 15". |
| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”. |
| McNeel & Associates<br>Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.<br>- Supports Cycles for GPU-accelerated 3D rendering. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10 x faster compared with Surface Book 2 15”.. |
| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. |
| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.<br>- Runs more than 10x faster compared with Surface Book 2 15”. |
| Esri ArcGIS | - Real-time results from what took days and weeks, due to DL inferencing leveraging tensor cores. |
| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.<br>- Runs more than 15% faster compared with Surface Book 2 15”. |
| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA |
| ANSYS<br>Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA. |
## SKUs
**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs**
@ -123,7 +123,7 @@ The following table shows how Quadro RTX 3000 provides significantly faster acce
## Summary
Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
The Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere:
- RTX-acceleration across multiple workflows like design, animation, video production, and more.
- Desktop-grade performance in a mobile form factor.

9
devices/surface/surface-enterprise-management-mode.md
View File

@ -32,6 +32,9 @@ There are two administrative options you can use to manage SEMM and enrolled Sur
The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied.
>[!NOTE]
>You can now use Surface UEFI Configurator and SEMM to manage ports on Surface Dock 2. To learn more, see [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md).
![Microsoft Surface UEFI Configurator](images/surface-ent-mgmt-fig1-uefi-configurator.png "Microsoft Surface UEFI Configurator")
*Figure 1. Microsoft Surface UEFI Configurator*
@ -282,6 +285,6 @@ This version of SEMM includes:
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
- [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
- [Secure Surface Dock 2 ports with SEMM](secure-surface-dock-ports-semm.md)

2
devices/surface/surface-manage-dfci-guide.md
View File

@ -31,7 +31,7 @@ Until now, managing firmware required enrolling devices into Surface Enterprise
Now with newly integrated UEFI firmware management capabilities in Microsoft Intune, the ability to lock down hardware is simplified and easier to use with new features for provisioning, security, and streamlined updating all in a single console, now unified as [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). The following figure shows UEFI settings viewed directly on the device (left) and viewed in the Endpoint Manager console (right).
![UEFI settings shown on device (left) and in the Endpoint Manager console (right) ](images/uefidfci.png)
![UEFI settings shown on device (left) and in the Endpoint Manager console (right)](images/uefidfci.png)
Crucially, DFCI enables zero touch management, eliminating the need for manual interaction by IT admins. DFCI is deployed via Windows Autopilot using the device profiles capability in Intune. A device profile allows you to add and configure settings which can then be deployed to devices enrolled in management within your organization. Once the device receives the device profile, the features and settings are applied automatically. Examples of common device profiles include Email, Device restrictions, VPN, Wi-Fi, and Administrative templates. DFCI is simply an additional device profile that enables you to manage UEFI configuration settings from the cloud without having to maintain on-premises infrastructure.

256
mdop/appv-v5/app-v-51-supported-configurations.md
View File

@ -16,6 +16,8 @@ ms.date: 04/02/2020
# App-V 5.1 Supported Configurations
>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update)
This topic specifies the requirements to install and run Microsoft Application Virtualization (App-V) 5.1 in your environment.
## App-V Server system requirements
@ -40,48 +42,16 @@ The App-V 5.1 Server does not support the following scenarios:
The following table lists the operating systems that are supported for the App-V 5.1 Management server installation.
**Note**  
Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Service Pack</th>
<th align="left">System architecture</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
</tbody>
</table>
> [!NOTE]
> Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information.
| Operating System | Service Pack | System Architecture |
|----------------------------------|--------------|---------------------|
| Microsoft Windows Server 2019 | | 64-bit |
| Microsoft Windows Server 2016 | | 64-bit |
| Microsoft Windows Server 2012 R2 | | 64-bit |
| Microsoft Windows Server 2012 | | 64-bit |
| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates)| SP1 | 64-bit |
**Important**  
@ -155,44 +125,13 @@ For more information on user configuration files with SQL server 2016 or later,
The following table lists the operating systems that are supported for the App-V 5.1 Publishing server installation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Service Pack</th>
<th align="left">System architecture</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
</tbody>
</table>
| Operating System | Service Pack | System Architecture |
|----------------------------------|--------------|---------------------|
| Microsoft Windows Server 2019 | | 64-bit |
| Microsoft Windows Server 2016 | | 64-bit |
| Microsoft Windows Server 2012 R2 | | 64-bit |
| Microsoft Windows Server 2012 | | 64-bit |
| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit |
### <a href="" id="publishing-server-hardware-requirements-"></a>Publishing server hardware requirements
@ -208,44 +147,13 @@ App-V adds no additional requirements beyond those of Windows Server.
The following table lists the operating systems that are supported for the App-V 5.1 Reporting server installation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Service Pack</th>
<th align="left">System architecture</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
</tbody>
</table>
| Operating System | Service Pack | System Architecture |
|----------------------------------|--------------|---------------------|
| Microsoft Windows Server 2019 | | 64-bit |
| Microsoft Windows Server 2016 | | 64-bit |
| Microsoft Windows Server 2012 R2 | | 64-bit |
| Microsoft Windows Server 2012 | | 64-bit |
| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit |
### <a href="" id="reporting-server-hardware-requirements-"></a>Reporting server hardware requirements
@ -309,7 +217,8 @@ The following table lists the SQL Server versions that are supported for the App
The following table lists the operating systems that are supported for the App-V 5.1 client installation.
**Note:** With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
> [!NOTE]
> With the Windows 10 Anniversary release (aka 1607 version), the App-V client is in-box and will block installation of any previous version of the App-V client
<table>
<colgroup>
@ -368,44 +277,13 @@ The following list displays the supported hardware configuration for the App-V 5
The following table lists the operating systems that are supported for App-V 5.1 Remote Desktop Services (RDS) client installation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Service Pack</th>
<th align="left">System architecture</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
</tbody>
</table>
| Operating System | Service Pack | System Architecture |
|----------------------------------|--------------|---------------------|
| Microsoft Windows Server 2019 | | 64-bit |
| Microsoft Windows Server 2016 | | 64-bit |
| Microsoft Windows Server 2012 R2 | | 64-bit |
| Microsoft Windows Server 2012 | | 64-bit |
| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit |
### Remote Desktop Services client hardware requirements
@ -421,59 +299,16 @@ App-V adds no additional requirements beyond those of Windows Server.
The following table lists the operating systems that are supported for the App-V 5.1 Sequencer installation.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating system</th>
<th align="left">Service pack</th>
<th align="left">System architecture</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2016</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2012 R2</p></td>
<td align="left"></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows Server 2012</p></td>
<td align="left"><p></p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows Server 2008 R2</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows 10</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Windows 8.1</p></td>
<td align="left"><p></p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Windows 7</p></td>
<td align="left"><p>SP1</p></td>
<td align="left"><p>32-bit and 64-bit</p></td>
</tr>
</tbody>
</table>
| Operating System | Service Pack | System Architecture |
|----------------------------------|--------------|---------------------|
| Microsoft Windows Server 2019 | | 64-bit |
| Microsoft Windows Server 2016 | | 64-bit |
| Microsoft Windows Server 2012 R2 | | 64-bit |
| Microsoft Windows Server 2012 | | 64-bit |
| Microsoft Windows Server 2008 R2 [Extended Security Update](https://www.microsoft.com/windows-server/extended-security-updates) | SP1 | 64-bit |
| Microsoft Windows 10 | | 32-bit and 64-bit |
| Microsoft Windows 8.1 | | 32-bit and 64-bit |
| Microsoft Windows 7 | SP1 | 32-bit and 64-bit |
### Sequencer hardware requirements
@ -491,7 +326,8 @@ The App-V client supports the following versions of System Center Configuration
The following App-V and System Center Configuration Manager version matrix shows all officially supported combinations of App-V and Configuration Manager.
**Note:** Both App-V 4.5 and 4.6 have exited Mainstream support.
> [!NOTE]
> Both App-V 4.5 and 4.6 have exited Mainstream support.
<table>
<colgroup>

2
windows/application-management/app-v/appv-create-a-package-accelerator.md
View File

@ -1,6 +1,6 @@
---
title: How to create a package accelerator (Windows 10)
description: How to create a package accelerator.
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-for-windows.md
View File

@ -1,6 +1,6 @@
---
title: Application Virtualization (App-V) (Windows 10)
description: Application Virtualization (App-V)
description: See various topics that can help you administer Application Virtualization (App-V) and its components.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-getting-started.md
View File

@ -1,6 +1,6 @@
---
title: Getting Started with App-V (Windows 10)
description: Getting Started with App-V for Windows 10
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

4
windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
View File

@ -1,6 +1,6 @@
---
title: Install the Publishing Server on a Remote Computer (Windows 10)
description: How to Install the App-V Publishing Server on a Remote Computer
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@ -38,7 +38,7 @@ Use the following procedure to install the publishing server on a separate compu
3. Enter the server name and a description (if required), then select **Add**.
9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: <strong>https://publishingserver:pubport</strong>. If the server is running correctly, information like the following example should appear.
```SQL
```xml
<Publishing Protocol="1.0">
<Packages>

16
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -14,7 +14,7 @@ ms.topic: article
---
# App-V Supported Configurations
>Applies to: Windows 10, version 1607; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2
>Applies to: Windows 10, version 1607; Window Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 (Extended Security Update)
This topic specifies the requirements to install and run App-V in your Windows 10 environment. For information about prerequisite software such as the .NET Framework, see [App-V prerequisites](appv-prerequisites.md).
@ -34,7 +34,7 @@ The App-V server does not support the following scenarios:
### Management server operating system requirements
You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 or later.
You can install the App-V Management server on a server running Windows Server 2008 R2 with SP1 (Extended Security Update) or later.
>[!IMPORTANT]
>Deploying a Management server role to a computer with Remote Desktop Services enabled is not supported.
@ -104,17 +104,7 @@ Similarly, the App-V Remote Desktop Services (RDS) client is included with Windo
## Sequencer system requirements
The following table lists the operating systems that the App-V Sequencer installation supports.
|Operating system|Service pack|System architecture|
|---|---|---|
|Microsoft Windows Server 2012 R2||64-bit|
|Microsoft Windows Server 2012||64-bit|
|Microsoft Windows Server 2008 R2|SP1|64-bit|
|Microsoft Windows 10||32-bit and 64-bit|
|Microsoft Windows 8.1||32-bit and 64-bit|
|Microsoft Windows 8||32-bit and 64-bit|
|Microsoft Windows 7|SP1|32-bit and 64-bit|
Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK). [Download the latest Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) that is recommended for your version of the Windows OS.
### Sequencer hardware requirements

89
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -20,40 +20,45 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
![Remote Desktop Connection client](images/rdp.png)
>[!TIP]
>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
> [!TIP]
> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
![Allow remote connections to this computer](images/allow-rdp.png)
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
>[!NOTE]
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
>`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example: </br>
> for cloud only user: "There is no such global user or group : *name*" </br>
> for synced user: "There is no such global user or group : *name*" </br>
>
>In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
>In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- On the PC you want to connect to:
1. Open system properties for the remote PC.
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
![Allow remote connections to this computer](images/allow-rdp.png)
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
> [!NOTE]
> You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
> ```PowerShell
> net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
> ```
> where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
>
> This command only works for AADJ device users already added to any of the local groups (administrators).
> Otherwise this command throws the below error. For example:
> - for cloud only user: "There is no such global user or group : *name*"
> - for synced user: "There is no such global user or group : *name*" </br>
>
> In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
> In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
@ -61,33 +66,32 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
> [!Note]
> If you cannot connect using Remote Desktop Connection 6.0, then you must turn off new features of RDP 6.0 and revert back to RDP 5.0 by changing a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations
In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager
- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Smartcards
- Windows Hello for Business, with or without an MDM subscription.
- Windows Hello for Business, with or without an MDM subscription.
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC using:
In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
- Password
- Windows Hello for Business, with or without an MDM subscription.
- Windows Hello for Business, with or without an MDM subscription.
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
@ -96,14 +100,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC
[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)

2
windows/client-management/mandatory-user-profile.md
View File

@ -38,7 +38,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).

2
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,7 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
keywords: whitelisting, security, malware
keywords: security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10

3
windows/client-management/mdm/applocker-csp.md
View File

@ -40,7 +40,6 @@ Defines restrictions for applications.
Additional information:
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
- [Whitelist example](#whitelist-examples) - example for Windows 10 Mobile that denies all apps except the ones listed.
<a href="" id="applocker-applicationlaunchrestrictions-grouping"></a>**AppLocker/ApplicationLaunchRestrictions/_Grouping_**
Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.
@ -869,7 +868,7 @@ The following list shows the apps that may be included in the inbox.
## Whitelist examples
## <a href="" id="allow-list-examples"></a>Allow list examples
The following example disables the calendar application.

2
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -14,8 +14,6 @@ ms.date: 09/18/2018
# AssignedAccess CSP
**Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.**
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211)

23
windows/client-management/mdm/bitlocker-csp.md
View File

@ -930,12 +930,35 @@ The following list shows the supported values:
<!--Description-->
Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
<!--/Description-->
> [!NOTE]
> This policy is only supported in Azure AD accounts.
"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
The expected values for this policy are:

3
windows/client-management/mdm/bitlocker-ddf-file.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# BitLocker DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

2
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -1,6 +1,6 @@
---
title: Certificate Renewal
description: The enrolled client certificate expires after a period of use.
description: Find all the resources needed to provide continuous access to client certificates.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'

2
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -1,6 +1,6 @@
---
title: ClientCertificateInstall CSP
description: ClientCertificateInstall CSP
description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.reviewer:
manager: dansimp

6
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -9,14 +9,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 05/11/2020
ms.date: 06/03/2020
---
# Configuration service provider reference
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used overtheair for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used overtheair for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
@ -2699,6 +2696,7 @@ Additional lists:
## CSP DDF files download
You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1803](https://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip)

5
windows/client-management/mdm/defender-csp.md
View File

@ -1,6 +1,6 @@
---
title: Defender CSP
description: Defender CSP
description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C
ms.reviewer:
manager: dansimp
@ -15,9 +15,6 @@ ms.date: 10/21/2019
# Defender CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
The following image shows the Windows Defender configuration service provider in tree format.

3
windows/client-management/mdm/defender-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Defender DDF file
description: Defender DDF file
description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
@ -15,7 +15,6 @@ ms.date: 10/21/2019
# Defender DDF file
This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

6
windows/client-management/mdm/devdetail-ddf-file.md
View File

@ -9,14 +9,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/11/2018
ms.date: 06/03/2020
---
# DevDetail DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -724,4 +721,5 @@ The XML below is the current version for this CSP.
</Node>
</Node>
</MgmtTree>
```

4
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -24,8 +24,8 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> **Important**  
The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.

2
windows/client-management/mdm/enterpriseappvmanagement-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAppVManagement CSP
description: EnterpriseAppVManagement CSP
description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions).
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/enterpriseassignedaccess-xsd.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseAssignedAccess XSD
description: EnterpriseAssignedAccess XSD
description: This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA
ms.reviewer:
manager: dansimp

3
windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
View File

@ -14,9 +14,6 @@ ms.date: 10/01/2019
# EnterpriseModernAppManagement DDF
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

16
windows/client-management/mdm/healthattestation-csp.md
View File

@ -748,13 +748,13 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="pcr0"></a>**PCR0**
<p style="margin-left: 20px">The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.</p>
<p style="margin-left: 20px">Enterprise managers can create a whitelist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the whitelist, and then make a trust decision based on the result of the comparison.</p>
<p style="margin-left: 20px">Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.</p>
<p style="margin-left: 20px">If your enterprise does not have a whitelist of accepted PCR[0] values, then take no action.</p>
<p style="margin-left: 20px">If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.</p>
<p style="margin-left: 20px">If PCR[0] equals an accepted whitelisted value, then allow access.</p>
<p style="margin-left: 20px">If PCR[0] equals an accepted allow list value, then allow access.</p>
<p style="margin-left: 20px">If PCR[0] does not equal any accepted whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
@ -762,9 +762,9 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="sbcphash"></a>**SBCPHash**
<p style="margin-left: 20px">SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.</p>
<p style="margin-left: 20px">If SBCPHash is not present, or is an accepted (whitelisted) value, then allow access.
<p style="margin-left: 20px">If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
<p style="margin-left: 20px">If SBCPHash is present in DHA-Report, and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
@ -772,9 +772,9 @@ Each of these are described in further detail in the following sections, along w
<a href="" id="cipolicy"></a>**CIPolicy**
<p style="margin-left: 20px">This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.</p>
<p style="margin-left: 20px">If CIPolicy is not present, or is an accepted (whitelisted) value, then allow access.</p>
<p style="margin-left: 20px">If CIPolicy is not present, or is an accepted allow-listed value, then allow access.</p>
<p style="margin-left: 20px">If CIPolicy is present and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:</p>
<p style="margin-left: 20px">If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:</p>
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.

28
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -44,8 +44,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [Server-initiated unenrollment failure](#server-initiated-unenrollment-failure)
- [Certificates causing issues with Wi-Fi and VPN](#certificates-causing-issues-with-wi-fi-and-vpn)
- [Version information for mobile devices](#version-information-for-mobile-devices)
- [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#upgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
- [Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#apps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
- [Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#apps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
- [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#multiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
- [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
- [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#mdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri)
@ -59,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
- [June 2020](#june-2020)
- [May 2020](#may-2020)
- [February 2020](#february-2020)
- [January 2020](#january-2020)
@ -108,10 +108,23 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<ul>
<li><a href="policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall" data-raw-source="[ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)">ApplicationManagement/BlockNonAdminUserInstall</a></li>
<li><a href="policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize" data-raw-source="[Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)">Bluetooth/SetMinimumEncryptionKeySize</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource" data-raw-source="[DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)">DeliveryOptimization/DOCacheHostSource</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a></li>
<li><a href="policy-csp-education.md#education-allowgraphingcalculator" data-raw-source="[Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)">Education/AllowGraphingCalculator</a></li>
<li><a href="policy-csp-textinput.md#textinput-configurejapaneseimeversion" data-raw-source="[TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)">TextInput/ConfigureJapaneseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion" data-raw-source="[TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)">TextInput/ConfigureSimplifiedChineseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" data-raw-source="[TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)">TextInput/ConfigureTraditionalChineseIMEVersion</a></li>
<li><a href="policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion" data-raw-source="[TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)">TextInput/ConfigureTraditionalChineseIMEVersion</a></li></ul>
<p>Updated the following policy in Windows 10, version 2004:</p>
<ul>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost" data-raw-source="[DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)">DeliveryOptimization/DOCacheHost</a></li></ul>
<p>Deprecated the following policies in Windows 10, version 2004:</p>
<ul>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)">DeliveryOptimization/DOMaxDownloadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" data-raw-source="[DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)">DeliveryOptimization/DOMaxUploadBandwidth</a></li>
<li><a href="policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" data-raw-source="[DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a></li></ul>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="devdetail-csp.md" data-raw-source="[DevDetail CSP](devdetail-csp.md)">DevDetail CSP</a></td>
@ -1733,7 +1746,7 @@ Currently in Windows 10, version 1511, when using the ClientCertificateInstall
The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**.
### Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues
### Upgrading Windows Phone 8.1 devices with app allow-listing using ApplicationRestriction policy has issues
- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps.
@ -1980,6 +1993,11 @@ What data is handled by dmwappushsvc? | It is a component handling the internal
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |
## Change history in MDM documentation
### June 2020
|New or updated topic | Description|
|--- | ---|
|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:<br>EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
### May 2020
|New or updated topic | Description|
@ -2927,7 +2945,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="applocker-csp.md" data-raw-source="[AppLocker CSP](applocker-csp.md)">AppLocker CSP</a></td>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in <a href="applocker-csp.md#whitelist-examples" data-raw-source="[Whitelist examples](applocker-csp.md#whitelist-examples)">Whitelist examples</a>.</p>
<td style="vertical-align:top"><p>Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in <a href="applocker-csp.md#allow-list-examples" data-raw-source="[Allowlist examples](applocker-csp.md#allow-list-examples)">Allow list examples</a>.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="devicemanageability-csp.md" data-raw-source="[DeviceManageability CSP](devicemanageability-csp.md)">DeviceManageability CSP</a></td>

3
windows/client-management/mdm/office-ddf.md
View File

@ -14,9 +14,6 @@ ms.date: 08/15/2018
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

22
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -15,9 +15,6 @@ ms.date: 07/18/2019
# Policy CSP
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
The Policy configuration service provider has the following sub-categories:
@ -1078,6 +1075,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost" id="deliveryoptimization-docachehost">DeliveryOptimization/DOCacheHost</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource" id="deliveryoptimization-docachehostsource">DeliveryOptimization/DOCacheHostSource</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp" id="deliveryoptimization-dodelaybackgrounddownloadfromhttp">DeliveryOptimization/DODelayBackgroundDownloadFromHttp</a>
</dd>
@ -1098,6 +1098,9 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource" id="deliveryoptimization-dogroupidsource">DeliveryOptimization/DOGroupIdSource</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth" id="deliveryoptimization-domaxbackgrounddownloadbandwidth">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage" id="deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
@ -1106,10 +1109,13 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize" id="deliveryoptimization-domaxcachesize">DeliveryOptimization/DOMaxCacheSize</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth" id="deliveryoptimization-domaxforegrounddownloadbandwidth">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos" id="deliveryoptimization-dominbackgroundqos">DeliveryOptimization/DOMinBackgroundQos</a>
@ -1136,7 +1142,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth" id="deliveryoptimization-dopercentagemaxbackgroundbandwidth">DeliveryOptimization/DOPercentageMaxBackgroundBandwidth</a>
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a> (deprecated)
</dd>
<dd>
<a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth" id="deliveryoptimization-dopercentagemaxforegroundbandwidth">DeliveryOptimization/DOPercentageMaxForegroundBandwidth</a>
@ -4055,8 +4061,8 @@ The following diagram shows the Policy configuration service provider in tree fo
## Policy CSPs supported by Microsoft Surface Hub
- [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
## Policy CSPs that can be set using Exchange Active Sync (EAS)
- [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
## Policy CSPs that can be set using Exchange ActiveSync (EAS)
- [Policy CSPs that can be set using Exchange ActiveSync (EAS)](policy-csps-that-can-be-set-using-eas.md)
## Related topics

4
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -74,7 +74,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved ActiveX Install sites specified by host URL.
If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL.
@ -109,6 +109,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - AttachmentManager
description: Policy CSP - AttachmentManager
description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local).
ms.author: dansimp
ms.topic: article
ms.prod: w10

4
windows/client-management/mdm/policy-csp-audit.md
View File

@ -12,10 +12,6 @@ ms.date: 09/27/2019
# Policy CSP - Audit
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->

4
windows/client-management/mdm/policy-csp-bits.md
View File

@ -14,10 +14,6 @@ manager: dansimp
# Policy CSP - BITS
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate.
- BITS/BandwidthThrottlingEndTime

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -4303,5 +4303,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

2
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -249,6 +249,8 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
<!--/Policies-->

264
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 06/09/2020
ms.reviewer:
manager: dansimp
---
@ -31,6 +31,9 @@ manager: dansimp
<dd>
<a href="#deliveryoptimization-docachehost">DeliveryOptimization/DOCacheHost</a>
</dd>
<dd>
<a href="#deliveryoptimization-docachehostsource">DeliveryOptimization/DOCacheHostSource</a>
</dd>
<dd>
<a href="#deliveryoptimization-dodelaybackgrounddownloadfromhttp">DeliveryOptimization/DODelayBackgroundDownloadFromHttp</a>
</dd>
@ -52,6 +55,9 @@ manager: dansimp
<dd>
<a href="#deliveryoptimization-dogroupidsource">DeliveryOptimization/DOGroupIdSource</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxbackgrounddownloadbandwidth">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
</dd>
@ -61,6 +67,9 @@ manager: dansimp
<dd>
<a href="#deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxforegrounddownloadbandwidth">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a>
</dd>
@ -289,12 +298,15 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
[Reserved for future use]
This policy allows you to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *[Reserved for future use] Cache Server Hostname*
- GP English name: *Cache Server Hostname*
- GP name: *CacheHost*
- GP element: *CacheHost*
- GP path: *Windows Components/Delivery Optimization*
@ -314,6 +326,86 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-docachehostsource"></a>**DeliveryOptimization/DOCacheHostSource**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Cache Server Hostname Source*
- GP name: *CacheHostSource*
- GP element: *CacheHostSource*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- 1 = DHCP Option ID.
- 2 = DHCP Option ID Force.
When DHCP Option ID (1) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value. This policy will be overridden when the [Cache Server Hostname](#deliveryoptimization-docachehost) policy has been set.
When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 and use the returned FQDN or IP value as Cache Server Hostname value, and will override the Cache Server Hostname policy if it has been set.
> [!Note]
> If the DHCP Option ID is formatted incorrectly, the client will fall back to the [Cache Server Hostname](#deliveryoptimization-docachehost) policy value if that value has been set.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-dodelaybackgrounddownloadfromhttp"></a>**DeliveryOptimization/DODelayBackgroundDownloadFromHttp**
@ -816,6 +908,68 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-domaxbackgrounddownloadbandwidth"></a>**DeliveryOptimization/DOMaxBackgroundDownloadBandwidth**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Maximum Background Download Bandwidth (in KB/s)*
- GP name: *MaxBackgroundDownloadBandwidth*
- GP element: *MaxBackgroundDownloadBandwidth*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**
@ -952,70 +1106,27 @@ ADMX Info:
<a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptimization-domaxforegrounddownloadbandwidth) and [DOMaxBackgroundDownloadBandwidth](#deliveryoptimization-domaxbackgrounddownloadbandwidth) policies instead.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Maximum Download Bandwidth (in KB/s)*
- GP name: *MaxDownloadBandwidth*
- GP element: *MaxDownloadBandwidth*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**
<a href="" id="deliveryoptimization-domaxforegrounddownloadbandwidth"></a>**DeliveryOptimization/DOMaxForegroundDownloadBandwidth**
<!--SupportedSKUs-->
<table>
@ -1029,19 +1140,19 @@ ADMX Info:
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>8</sup></td>
</tr>
</table>
@ -1058,20 +1169,16 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
This policy specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization.
The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth).
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Max Upload Bandwidth (in KB/s)*
- GP name: *MaxUploadBandwidth*
- GP element: *MaxUploadBandwidth*
- GP English name: *Maximum Foreground Download Bandwidth (in KB/s)*
- GP name: *MaxForegroundDownloadBandwidth*
- GP element: *MaxForegroundDownloadBandwidth*
- GP path: *Windows Components/Delivery Optimization*
- GP ADMX file name: *DeliveryOptimization.admx*
@ -1080,6 +1187,25 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**
<!--SupportedSKUs-->
<!--/SupportedSKUs-->
<!--Scope-->
<!--/Scope-->
<!--Description-->
This policy is deprecated because it only applies to uploads to Internet peers (only allowed when DownloadMode is set to 3) which is not used in commercial deployments. There is no alternate policy to use.
<!--/Description-->
<!--ADMXMapped-->
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**
@ -1901,12 +2027,14 @@ This policy allows an IT Admin to define the following:
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
<!--/Policies-->

3
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - DeviceGuard
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

3
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -14,9 +14,6 @@ ms.localizationpriority: medium
# Policy CSP - DeviceInstallation
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

5
windows/client-management/mdm/policy-csp-dmaguard.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - DmaGuard
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -76,7 +73,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing.
This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with [DMA Remapping](https://docs.microsoft.com/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers)/device memory isolation and sandboxing.
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.

5
windows/client-management/mdm/policy-csp-education.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Education
description: Policy CSP - Education
description: Control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Education
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

3
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

2
windows/client-management/mdm/policy-csp-mssecurityguide.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - MSSecurityGuide
description: Policy CSP - MSSecurityGuide
description: See how this ADMX-backed policy requires a special SyncML format to enable or disable.
ms.author: dansimp
ms.topic: article
ms.prod: w10

4
windows/client-management/mdm/policy-csp-networkisolation.md
View File

@ -228,7 +228,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
<!--/Scope-->
<!--Description-->
Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
Integer value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
<!--/Description-->
<!--ADMXMapped-->
@ -468,7 +468,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
Integer value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
<!--/Description-->
<!--ADMXMapped-->

2
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -14,8 +14,6 @@ manager: dansimp
# Policy CSP - RestrictedGroups
> [!WARNING]
> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

3
windows/client-management/mdm/policy-csp-security.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Security
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

3
windows/client-management/mdm/policy-csp-start.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Start
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

2
windows/client-management/mdm/policy-csp-system.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - System
description: Policy CSP - System
description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update.
ms.author: dansimp
ms.topic: article
ms.prod: w10

3
windows/client-management/mdm/policy-csp-taskmanager.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - TaskManager
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

4
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -16,10 +16,6 @@ manager: dansimp
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->

3
windows/client-management/mdm/policy-csp-update.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - Update
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).

3
windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
View File

@ -14,9 +14,6 @@ manager: dansimp
# Policy CSP - WindowsDefenderSecurityCenter
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>

9
windows/client-management/mdm/policy-csps-supported-by-iot-core.md
View File

@ -31,6 +31,7 @@ ms.date: 09/16/2019
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
@ -38,10 +39,12 @@ ms.date: 09/16/2019
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated)
- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
@ -50,7 +53,7 @@ ms.date: 09/16/2019
- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)

9
windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md
View File

@ -30,6 +30,7 @@ ms.date: 07/18/2019
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
@ -37,10 +38,12 @@ ms.date: 07/18/2019
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated)
- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
@ -49,7 +52,7 @@ ms.date: 07/18/2019
- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated)
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)

5054
windows/client-management/mdm/policy-ddf-file.md
View File

File diff suppressed because it is too large Load Diff

5
windows/client-management/mdm/supl-ddf-file.md
View File

@ -9,14 +9,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 07/20/2018
ms.date: 06/03/2020
---
# SUPL DDF file
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider (CSP).
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).

4
windows/client-management/troubleshoot-inaccessible-boot-device.md
View File

@ -110,10 +110,10 @@ To verify the BCD entries:
>[!NOTE]
>This output may not contain a path.
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
> [!NOTE]
> If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension.
> If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension.
![bcdedit](images/screenshot1.png)

4
windows/client-management/windows-10-mobile-and-mdm.md
View File

@ -533,7 +533,7 @@ Learn more about the [Microsoft Store for Business](/microsoft-store/index).
IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date.
Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
For more details, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx).
@ -970,7 +970,7 @@ This is a list of attributes that are supported by DHA and can trigger the corre
- **Boot Manager Version** The version of the Boot Manager running on the device. The HAS can check this version to determine whether the most current Boot Manager is running, which is more secure (trusted).
- **Code integrity version** Specifies the version of code that is performing integrity checks during the boot sequence. The HAS can check this version to determine whether the most current version of code is running, which is more secure (trusted).
- **Secure Boot Configuration Policy (SBCP) present** Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash.
- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant.
- **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published allow list. A device that complies with the allow list is more trustworthy (secure) than a device that is noncompliant.
**Example scenario**

2
windows/configuration/kiosk-validate.md
View File

@ -1,6 +1,6 @@
---
title: Validate kiosk configuration (Windows 10)
description: This topic explains what to expect on a multi-app kiosk.
description: Learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
ms.reviewer:
manager: dansimp

2
windows/configuration/ue-v/uev-troubleshooting.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshooting UE-V
description: Troubleshooting UE-V
description: Find resources for troubleshooting UE-V for Windows 10.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

2
windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
View File

@ -1,6 +1,6 @@
---
title: Using UE-V with Application Virtualization applications
description: Using UE-V with Application Virtualization applications
description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V).
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

2
windows/configuration/wcd/wcd-cellcore.md
View File

@ -139,7 +139,7 @@ Select from the following:
### eSim
Configure **FwUpdate** > **AllowedAppIdList** to whitelist apps that are allowed to update the firmware. Obtain the app IDs from the card vendor.
Configure **FwUpdate** > **AllowedAppIdList** to list apps that are allowed to update the firmware. Obtain the app IDs from the card vendor.
### External

12
windows/deployment/TOC.yml
View File

@ -44,7 +44,11 @@
- name: Define your servicing strategy
href: update/waas-servicing-strategy-windows-10-updates.md
- name: Best practices for feature updates on mission-critical devices
href: update/feature-update-mission-critical.md
href: update/feature-update-mission-critical.md
- name: Windows 10 deployment considerations
href: planning/windows-10-deployment-considerations.md
- name: Windows 10 infrastructure requirements
href: planning/windows-10-infrastructure-requirements.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Features removed or planned for replacement
@ -126,7 +130,7 @@
- name: Deploy updates with Configuration Manager
href: update/deploy-updates-configmgr.md
- name: Deploy updates with Intune
href: update/waas-wufb-csp-mdm.md
href: update/deploy-updates-intune.md
- name: Deploy updates with WSUS
href: update/waas-manage-updates-wsus.md
- name: Deploy updates with Group Policy
@ -238,13 +242,13 @@
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
- name: How Windows Update works
href: update/how-windows-update-works.md
- name: Additional Windows Update settings
href: update/waas-wu-settings.md
- name: Delivery Optimization reference
href: update/waas-delivery-optimization-reference.md
- name: Windows 10 in S mode
href: s-mode.md
- name: Switch to Windows 10 Pro or Enterprise from S mode
href: windows-10-pro-in-s-mode.md
- name: Windows 10 deployment tools
items:

2
windows/deployment/deploy.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Windows 10 (Windows 10)
description: Deploying Windows 10 for IT professionals.
description: Learn Windows 10 upgrade options for planning, testing, and managing your production deployment.
ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
ms.reviewer:
manager: laurawi

61
windows/deployment/index.yml
View File

@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
ms.date: 05/27/2020 #Required; mm/dd/yyyy format.
ms.date: 06/09/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@ -22,29 +22,35 @@ landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: Overview
- title: Deploy Windows 10
linkLists:
- linkListType: overview
links:
- text: Windows 10 deployment scenarios
url: windows-10-deployment-scenarios.md
- text: What is Windows as a service?
url: update/waas-overview.md
- text: Types of Windows updates
url: update/waas-quick-start.md#definitions
# Card (optional)
- title: Get started
linkLists:
- linkListType: get-started
links:
- text: Demonstrate Autopilot deployment
url: windows-autopilot/demonstrate-deployment-on-vm.md
- text: Servicing the Windows 10 operating system
url: update/waas-servicing-strategy-windows-10-updates.md
- text: Deploy Windows 10 in a test lab
url: windows-10-poc.md
# Card (optional)
- title: Update Windows 10
linkLists:
- linkListType: overview
links:
- text: What is Windows as a service?
url: update/waas-overview.md
- text: Types of Windows updates
url: update/waas-quick-start.md#definitions
- linkListType: get-started
links:
- text: Servicing the Windows 10 operating system
url: update/waas-servicing-strategy-windows-10-updates.md
# Card (optional)
- title: Deployment planning
linkLists:
@ -52,8 +58,12 @@ landingContent:
links:
- text: Create a deployment plan
url: update/create-deployment-plan.md
- text: Define readiness criteria
url: update/plan-define-readiness.md
- text: Evaluate infrastructure and tools
url: update/eval-infra-tools.md
- text: Determine application readiness
url: update/plan-determine-app-readiness.md
- text: Define your servicing strategy
url: update/waas-servicing-strategy-windows-10-updates.md
@ -62,7 +72,9 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Prepare to deploy Windows 10
- text: Prepare for Zero Touch Installation with Configuration Manager
url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
- text: Prepare to deploy Windows 10 with MDT
url: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
- text: Evaluate and update infrastructure
url: update/update-policies.md
@ -70,25 +82,36 @@ landingContent:
url: update/waas-deployment-rings-windows-10-updates.md
# Card
- title: Deploy Windows 10
- title: Deploy and update Windows 10
linkLists:
- linkListType: deploy
links:
- text: Deploy Windows 10 with Autopilot
- text: Windows Autopilot scenarios and capabilities
url: windows-autopilot/windows-autopilot-scenarios.md
- text: Deploy Windows 10 to a new device with Configuration Manager
url: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
- text: Deploy a Windows 10 image using MDT
url: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
- text: Assign devices to servicing channels
url: update/waas-servicing-channels-windows-10-updates.md
- text: Deploy Windows 10 updates
url: update/index.md
url: update/waas-servicing-channels-windows-10-updates.md
- text: Resolve Windows 10 upgrade errors
url: upgrade/resolve-windows-10-upgrade-errors.md
# Card (optional)
- title: Also see
- title: Windows 10 resources
linkLists:
- linkListType: reference
links:
- text: Windows 10 release information
url: https://docs.microsoft.com/en-us/windows/release-information/
url: https://docs.microsoft.com/windows/release-information/
- text: What's new in Windows 10
url: https://docs.microsoft.com/en-us/windows/whats-new/
url: https://docs.microsoft.com/windows/whats-new/
- text: Windows 10 Enterprise Security
url: https://docs.microsoft.com/en-us/windows/security/
url: https://docs.microsoft.com/windows/security/
- text: Desktop Deployment Center
url: https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home
- text: Microsoft 365 solution and architecture center
url: https://docs.microsoft.com/microsoft-365/solutions/?view=o365-worldwide

276
windows/deployment/planning/windows-10-deployment-considerations.md
View File

@ -1,144 +1,132 @@
---
title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: deploy, upgrade, update, in-place
ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: plan
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.topic: article
---
# Windows 10 deployment considerations
**Applies to**
- Windows 10
There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.
Windows 10 also introduces two additional scenarios that organizations should consider:
- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process.
So how do you choose? At a high level:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Consider ...</th>
<th align="left">For these scenarios</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">In-place upgrade</td>
<td align="left"><ul>
<li><p>When you want to keep all (or at least most) existing applications</p></li>
<li><p>When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)</p></li>
<li><p>To migrate from Windows 10 to a later Windows 10 release</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Traditional wipe-and-load</td>
<td align="left"><ul>
<li><p>When you upgrade significant numbers of applications along with the new Windows OS</p></li>
<li><p>When you make significant device or operating system configuration changes</p></li>
<li><p>When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs</p></li>
<li><p>When you migrate from Windows Vista or other previous operating system versions</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Dynamic provisioning</td>
<td align="left"><ul>
<li><p>For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required</p></li>
<li><p>When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## Migration from previous Windows versions
For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
Note that the original Windows 8 release is only supported until January 2016. Organizations that do not think they can complete a full Windows 10 migration by that date should deploy Windows 8.1 now and consider Windows 10 after Windows 8 has been removed from the environment.
For existing Windows PCs running Windows Vista, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
Note that to take advantage of the limited-time free upgrade offer for PCs running Windows 7, Windows 8, or Windows 8.1, you must leverage an in-place upgrade, either from Windows Update or by using the upgrade media available from the [Windows 10 software download page](https://go.microsoft.com/fwlink/p/?LinkId=625073) to acquire a new Windows 10 license from the Windows Store. For more information, refer to the [Windows 10 FAQ](https://go.microsoft.com/fwlink/p/?LinkId=625074).
For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
For organizations that do not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
## Setup of new computers
For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075).
- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076).
In either of these scenarios, you can make a variety of configuration changes to the PC:
- Transform the edition (SKU) of Windows 10 that is in use.
- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
- Install apps, language packs, and updates.
- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management).
## Stay up to date
For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). Note that this will require updates to WSUS, which are only available for Windows Server 2012 and Windows Server 2012 R2, not previous versions.
- System Center Configuration Manager task sequences (with Configuration Manager 2012, 2012 R2, and later versions).
- System Center Configuration Manager vNext software update capabilities (deploying like an update).
Note that these upgrades (which are installed differently than monthly updates) will leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
Over time, this upgrade process will be optimized to reduce the overall time and network bandwidth consumed.
## Related topics
[Windows 10 compatibility](windows-10-compatibility.md)
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
 
 
---
title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: deploy, upgrade, update, in-place
ms.prod: w10
ms.localizationpriority: medium
ms.mktglfcycl: plan
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Windows 10 deployment considerations
**Applies to**
- Windows 10
There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.
Windows 10 also introduces two additional scenarios that organizations should consider:
- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process.
So how do you choose? At a high level:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Consider ...</th>
<th align="left">For these scenarios</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">In-place upgrade</td>
<td align="left"><ul>
<li><p>When you want to keep all (or at least most) existing applications</p></li>
<li><p>When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)</p></li>
<li><p>To migrate from Windows 10 to a later Windows 10 release</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Traditional wipe-and-load</td>
<td align="left"><ul>
<li><p>When you upgrade significant numbers of applications along with the new Windows OS</p></li>
<li><p>When you make significant device or operating system configuration changes</p></li>
<li><p>When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs</p></li>
<li><p>When you migrate from Windows Vista or other previous operating system versions</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Dynamic provisioning</td>
<td align="left"><ul>
<li><p>For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required</p></li>
<li><p>When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## Migration from previous Windows versions
For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
The original Windows 8 release was only supported until January 2016. For devices running Windows 8.0, you can update to Windows 8.1 and then upgrade to Windows 10.
For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
## Setting up new computers
For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075).
- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076).
In either of these scenarios, you can make a variety of configuration changes to the PC:
- Transform the edition (SKU) of Windows 10 that is in use.
- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
- Install apps, language packs, and updates.
- Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management).
## Stay up to date
For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update).
- Configuration Manager task sequences.
- Configuration Manager software update capabilities (deploying like an update).
These upgrades (which are installed differently than monthly updates) leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
The upgrade process is also optimized to reduce the overall time and network bandwidth consumed.
## Related topics
[Windows 10 compatibility](windows-10-compatibility.md)<br>
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
 
 

40
windows/deployment/planning/windows-10-infrastructure-requirements.md
View File

@ -26,38 +26,24 @@ There are specific infrastructure requirements to deploy and manage Windows 10
## High-level requirements
For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
## Deployment tools
A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1.
The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades.
The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
For System Center Configuration Manager, Windows 10 support is offered with various releases:
| Release | Windows 10 management? | Windows 10 deployment? |
|---------------------------------------------|------------------------|------------------------------------------------|
| System Center Configuration Manager 2007 | Yes, with a hotfix | No |
| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 |
| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 |
> [!NOTE]
> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
 
For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10).
For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Management tools
In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
@ -72,8 +58,6 @@ Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 
| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) |
| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 |
 
For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090).
For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information.
@ -81,20 +65,17 @@ For devices you manage with mobile device management (MDM) solutions such as Mic
Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
1. Select the **Options** node, and then click **Products and Classifications**.
2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
3. From the **Synchronizations** node, right-click and choose **Synchronize Now**.
![figure 1](images/fig4-wsuslist.png)
Figure 1. WSUS product list with Windows 10 choices
WSUS product list with Windows 10 choices
Because Windows 10 updates are cumulative in nature, each months new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
## Activation
Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
| Product | Required update |
@ -104,26 +85,21 @@ Windows 10 volume license editions of Windows 10 will continue to support all
| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) |
 
Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/)
Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
- Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights.
- For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
- For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
## Related topics
[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
<BR>[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
<BR>[Windows 10 compatibility](windows-10-compatibility.md)
[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)<br>
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)<br>
[Windows 10 compatibility](windows-10-compatibility.md)<br>
 

3
windows/deployment/s-mode.md
View File

@ -7,7 +7,6 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
ms.date: 12/05/2018
ms.reviewer:
manager: laurawi
ms.audience: itpro
@ -42,7 +41,7 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
## Deployment
Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](windows-autopilot/windows-autopilot.md). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
## Keep line of business apps functioning with Desktop Bridge

Some files were not shown because too many files have changed in this diff Show More