mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-04 16:47:23 +00:00

Latest updates for issues content (#379 )

* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* Updated deployment-vdi-windows-defender-antivirus.md

* updates for new vdi stuff

* Adding important note to solve #3493

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Typo "&lt;"→"<", "&gt;"→">"

https://docs.microsoft.com/en-us/windows/application-management/manage-windows-mixed-reality

* Issue #2297

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Clarification

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* update troubleshoot-np.md

* update configure-endpoints-gp.md

* Removing a part which is not supported

* Name change

* update troubleshoot-np.md

* removed on-premises added -hello

* Added link into Domain controller guide

* Line corections

* corrected formatting of xml code samples

When viewing the page in Win 10/Edge, the xml code samples stretched across the page, running into the side menu. The lack of line breaks also made it hard to read.

This update adds line breaks and syntax highlighting, replaces curly double quotes with standard double quotes, and adds a closing tag for <appv:appconnectiongroup>for each code sample

* Update windows/security/identity-protection/hello-for-business/hello-identity-verification.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-delivery-optimization-reference.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* corrected formating of XML examples

The XML samples here present the same formatting problems as in about-the-connection-group-file51.md (see https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847/)

Perhaps we should open an issue to see if we have more versions of this code sample in the docs

* corrected formatting of XML example section

In the XML example on this page, the whitespace had been stripped out, so there were no spaces between adjacent attribute values or keys.

This made it hard to read, though the original formatting allowed for a scroll bar, so the text was not running into the side of the page (compare to https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3847 and https://github.com/MicrosoftDocs/windows-itpro-docs/pull/3850, where the uncorrected formatting forced the text to run into the side menu).

* update configure-endpoints-gp.md

* Fixed error in registry path and improved description

* Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Removing extra line in 25 

Suggested by

* update windows-analytics-azure-portal.md

* re: broken links, credential-guard-considerations

Context:
* #3513, MVA is being retired and producing broken links
* #3860 Microsoft Virtual Academy video links

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as I could not find a similar video available describing which credentials are covered by credential guard.

I replaced the second link with a video containing similar material, though it is not a "deep dive".

Suggestions on handling this problem, as many pages contain similar links, would be appreciated,.

* removed link to retired video re: #3867

Context:
* #3513, MVA is being retired and producing broken links
* #3867, Microsoft Virtual Academy video links

This page contains a broken link to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course is already retired, and no replacement course exists.

I removed the whole _See Also_ section, as I could not find a video narrowly or deeply addressing how to protect privelaged users with Credential Guard. The most likely candidate is too short and general: https://www.linkedin.com/learning/cism-cert-prep-1-information-security-governance/privileged-account-management

* addressing broken mva links, #3817

Context:
* #3513, MVA is being retired and producing broken links
* #3817, Another broken link

This page contains two links to deprecated video content on Microsoft Virtual Academy (MVA).

MVA is being retired. 

In addition, the Deep Dive course the two links point to is already retired, and no replacement course exists.

I removed the first link, as we no longer have a video with similar content for a similar audience. The most likely candidate is https://www.linkedin.com/learning/programming-foundations-web-security-2/types-of-credential-attacks, which is more general and for a less technical audience. 

I removed the second link and the _See Also_ section, as I could not find a similar video narrowly focused on which credentials are covered by Credential Guard. Most of the related material available now describes how to perform a task.

* Update deployment-vdi-windows-defender-antivirus.md

* typo fix re: #3876; DMSA -> DSMA

* Addressing dead MVA links, #3818

This page, like its fellows in the mva-links label, contains links to a retired video course on a website that is retiring soon.

The links listed by the user in issue #3818 were also on several other pages, related to Credentials Guard. 

These links were addressed in the pull requests #3875, #3872, and #3871

Credentials threat & lateral threat link: removed (see PR #3875 for reasoning) 
Virtualization link: replaced (see #3871 for reasoning)
Credentials protected link: removed (see #3872 for reasoning)

* Adding notes for known issue in script

Solves #3869

* Updated the download link admx files Windows 10

Added link for April 2018 and Oct 2018 ADMX files.

* added event logs path

Referenced : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Suggestions applied.

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update deployment-vdi-windows-defender-antivirus.md

* screenshot update

* Add files via upload

* update 4 scrrenshots

* Update deployment-vdi-windows-defender-antivirus.md

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Re: #3909

Top link is broken, #3909 

> The link here does not work:
> Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

The link to the pdf describing MDATP was broken.

Thankfully, PR #2897 updated the same link in another page some time ago, so I didn't have to go hunting for an equivalent

* CI Update

* Updated as per task 3405344

* Updated author

* Update windows-analytics-azure-portal.md

* added the example query

* Updated author fields

* Update office-csp.md

* update video for testing

* update video

* Update surface-hub-site-readiness-guide.md

line 134 Fixed  video link MD formatting

* fixing video url

* updates from Albert

* Bulk replaced author to manikadhiman

* Bulk replaced ms.author to v-madhi

* Latest content is published (#371)

* Added 1903 policy DDF link and fixed a typo

* Reverted the DDF version

* Latest update (#375)

* Update deployment-vdi-windows-defender-antivirus.md

* Update deployment-vdi-windows-defender-antivirus.md

2019-06-06 15:54:17 -07:00

25 KiB

Raw Blame History

title, description, ms.assetid, ms.reviewer, manager, keywords, ms.prod, ms.sitesec, author, ms.author, ms.topic, ms.date, ms.localizationpriority

title	description	ms.assetid	ms.reviewer	manager	keywords	ms.prod	ms.sitesec	author	ms.author	ms.topic	ms.date	ms.localizationpriority
Create provisioning packages (Surface Hub)	For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.	8AA25BD4-8A8F-4B95-9268-504A49BA5345		dansimp	add certificate, provisioning package	surface-hub	library	levinec	ellevin	article	03/16/2019	medium

Create provisioning packages (Surface Hub)

This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings.

You can apply a provisioning package using a USB stick during first-run setup, or through the Settings app.

Advantages

Quickly configure devices without using a mobile device management (MDM) provider.
No network connectivity required.
Simple to apply.

Learn more about the benefits and uses of provisioning packages.

Requirements

To create and apply a provisioning package to a Surface Hub, you'll need the following:

Windows Configuration Designer, which can be installed from Microsoft Store or from the Windows 10 Assessment and Deployment Kit (ADK). Learn how to install Windows Configuration Designer.
A USB stick.
If you apply the package using the Settings app, you'll need device admin credentials.

You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub.

Supported items for Surface Hub provisioning packages

Using the Provision Surface Hub devices wizard, you can:

Enroll in Active Directory, Azure Active Directory, or MDM
Create an device administrator account
Add applications and certificates
Configure proxy settings
Add a Surface Hub configuration file

Warning

You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard.

Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub:

Policies - Surface Hub supports a subset of the policies in the Policy configuration service provider.
Settings - You can configure any setting in the SurfaceHub configuration service provider.

Tip

Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings.

Use the Surface Hub provisioning wizard

After you install Windows Configuration Designer, you can create a provisioning package.

Create the provisioning package

Open Windows Configuration Designer:
- From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
  
  or
- If you installed Windows Configuration Designer from the ADK, navigate to C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 (on an x64 computer) or C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe (on an x86 computer), and then double-click ICD.exe.
Click Provision Surface Hub devices.
Name your project and click Next.

Configure settings

To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
Toggle Yes or No for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select No if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting Yes and Automatically detect settings. If you toggle Yes, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server).
You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device. To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package. Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.
Toggle Yes or No for enrollment in MDM. If you toggle Yes, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. Learn more about managing Surface Hub with MDM.
You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see Provision PCs with apps. Important: Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail.
You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See Sample configuration file for an example. Important: The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.

After you're done, click Create. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.

Sample configuration file

A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.

Use Microsoft Excel or other CSV editor to create a CSV file named SurfaceHubConfiguration.csv. In the file, enter a list of device accounts and friendly names in this format:

<DeviceAccountName>,<DeviceAccountPassword>,<FriendlyName>

Important

Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the DeviceAccount node in the Surface Hub configuration service provider (CSP) to update the passwords via MDM.

The following is an example of SurfaceHubConfiguration.csv.

Rainier@contoso.com,password,Rainier Surface Hub
Adams@contoso.com,password,Adams Surface Hub
Baker@contoso.com,password,Baker Surface Hub
Glacier@constoso.com,password,Glacier Surface Hub
Stuart@contoso.com,password,Stuart Surface Hub
Fernow@contoso.com,password,Fernow Surface Hub
Goode@contoso.com,password,Goode Surface Hub
Shuksan@contoso.com,password,Shuksan Surface Hub
Buckner@contoso.com,password,Buckner Surface Hub
Logan@contoso.com,password,Logan Surface Hub
Maude@consoto.com,password,Maude Surface hub
Spickard@contoso.com,password,Spickard Surface Hub
Redoubt@contoso.com,password,Redoubt Surface Hub
Dome@contoso.com,password,Dome Surface Hub
Eldorado@contoso.com,password,Eldorado Surface Hub
Dragontail@contoso.com,password,Dragontail Surface Hub
Forbidden@contoso.com,password,Forbidden Surface Hub
Oval@contoso.com,password,Oval Surface Hub
StHelens@contoso.com,password,St Helens Surface Hub
Rushmore@contoso.com,password,Rushmore Surface Hub

Use advanced provisioning

After you install Windows Configuration Designer, you can create a provisioning package.

Create the provisioning package (advanced)

Open Windows Configuration Designer:
- From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut,
  
  or
- If you installed Windows Configuration Designer from the ADK, navigate to C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 (on an x64 computer) or C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe (on an x86 computer), and then double-click ICD.exe.
Click Advanced provisioning.
Name your project and click Next.
Select Common to Windows 10 Team edition, click Next, and then click Finish.
In the project, under Available customizations, select Common Team edition settings.

Add a certificate to your package

You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange.

Note

Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details.

In the Available customizations pane, go to Runtime settings > Certificates > ClientCertificates.
Enter a CertificateName and then click Add.
Enter the CertificatePassword.
For CertificatePath, browse and select the certificate.
Set ExportCertificate to False.
For KeyLocation, select Software only.

Add a Universal Windows Platform (UWP) app to your package

Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Microsoft Store for Business, you will also need the unencoded app license. See Distribute offline apps to learn how to download these items from the Microsoft Store for Business.

In the Available customizations pane, go to Runtime settings > UniversalAppInstall > DeviceContextApp.
Enter a PackageFamilyName for the app and then click Add. For consistency, use the app's package family name. If you acquired the app from the Microsoft Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the <PFM>...</PFM> tags.
For ApplicationFile, click Browse to find and select the target app (either an *.appx or *.appxbundle).
For DependencyAppxFiles, click Browse to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies.

If you acquired the app from the Microsoft Store for Business, you will also need to add the app license to your provisioning package.

Make a copy of the app license, and rename it to use a .ms-windows-store-license extension. For example, "example.xml" becomes "example.ms-windows-store-license".
In ICD, in the Available customizations pane, go to Runtime settings > UniversalAppInstall > DeviceContextAppLicense.
Enter a LicenseProductId and then click Add. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the <License> tag, use the value in the LicenseID attribute.
Select the new LicenseProductId node. For LicenseInstall, click Browse to find and select the license file that you renamed in Step 1.

Add a policy to your package

Surface Hub supports a subset of the policies in the Policy configuration service provider. Some of those policies can be configured with ICD.

In the Available customizations pane, go to Runtime settings > Policies.
Select one of the available policy areas.
Select and set the policy you want to add to your provisioning package.

Add Surface Hub settings to your package

You can add settings from the SurfaceHub configuration service provider to your provisioning package.

In the Available customizations pane, go to Runtime settings > WindowsTeamSettings.
Select one of the available setting areas.
Select and set the setting you want to add to your provisioning package.

Build your package

When you are done configuring the provisioning package, on the File menu, click Save.
Read the warning that project files may contain sensitive information, and click OK.

Important

When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
On the Export menu, click Provisioning package.
Change Owner to IT Admin, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources.
Set a value for Package Version, and then select Next.

Tip

You can make changes to existing packages and change the version number to update previously applied packages.
Optional: You can choose to encrypt the package and enable package signing.
- Enable package encryption - If you select this option, an auto-generated password will be shown on the screen.
- Enable package signing - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking Browse... and choosing the certificate you want to use to sign the package.
  
  Important
  
  We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
Click Next to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
Optionally, you can click Browse to change the default output location.
Click Next.
Click Build to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page.
If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click Back to change the output package name and path, and then click Next to start another build.
- If you are done, click Finish to close the wizard and go back to the Customizations Page.
Select the output location link to go to the location of the package. Copy the .ppkg to an empty USB flash drive.

Apply a provisioning package to Surface Hub

There are two options for deploying provisioning packages to a Surface Hub. During the first run wizard, you can apply a provisioning package that installs certificates, or after the first-run program is complete, you can apply a provisioning package that configures settings, apps, and certificates by using Settings.

Apply a provisioning package during first run

Important

During the first-run program, you can only use provisioning packages to install certificates. Use the Settings app to install apps and apply other settings.

When you turn on the Surface Hub for the first time, the first-run program will display the Hi there page. Make sure that the settings are properly configured before proceeding.
Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select Set up.
The next screen asks you to select a provisioning source. Select Removable Media and tap Next.
Select the provisioning package (*.ppkg) that you want to apply, and tap Next. Note that you can only install one package during first run.
The first-run program will show you a summary of the changes that the provisioning package will apply. Select Yes, add it.
If a configuration file is included in the root directory of the USB flash drive, you will see Select a configuration. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub.
In Select a configuration, select the device name to apply, and then click Next.

The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive.

Apply a package using Settings

Insert the USB flash drive containing the .ppkg file into the Surface Hub.
From the Surface Hub, start Settings and enter the admin credentials when prompted.
Navigate to Surface Hub > Device management. Under Provisioning packages, select Add or remove a provisioning package.
Select Add a package.
Choose your provisioning package and select Add. You may have to re-enter the admin credentials if prompted.
You'll see a summary of the changes that the provisioning package will apply. Select Yes, add it.

25 KiB Raw Blame History