2. In the GPMC, press and hold or right-click the GPO you want to use for the deployment, and then tap or click Edit.

3. In the policy editor, access Computer Configuration\Policies\Software Settings\Software Installation or User Configuration\Policies\Software Settings\Software Installation as appropriate for the type of software deployment.

4. Press and hold or right-click Software Installation. On the shortcut menu, tap or click New, and then tap or click Package. Create an assigned or published application by using the Windows Installer file for the new software version.

5. Press and hold or right-click the upgrade package, and then tap or click Properties. On the Upgrades tab, tap or click Add. In the Add Upgrade Package dialog box, do one of the following:

■ If the original application and the upgrade are in the current GPO, select Current Group Policy Object, and then select the previously deployed application in the Package To Upgrade list.

■ If the original application and the upgrade are in different GPOs, select A Specific GPO, tap or click Browse, and then select the GPO from the Browse For A Group Policy Object dialog box. Select the previously deployed application in the Package To Upgrade list.

6. Choose an upgrade option. If you want to replace the application with the new version, select Uninstall The Existing Package, Then Install The Upgrade Package. If you want to perform an in-place upgrade over the existing installation, select Package Can Upgrade Over The Existing Package.

7. Tap or click OK to close the Add Upgrade Package dialog box. If you want to make this a required upgrade, select the Required Upgrade For Existing Packages check box, and then tap or click OK to close the upgrade package’s Properties dialog box.

Computers that are members of a workplace can access internal network resources, such as internal websites and business applications. Work Folders enable users to synchronize their corporate data to their devices and vice versa. Those devices can be joined to the corporate domain or a workplace. Devices access Work Folders via a remote web gateway running on Microsoft Internet Information Services (IIS).

To deploy Work Folders, you add the File And Storage Services \ Work Folders role to a file server, and then configure Work Folders by using Server Manager. Afterward, you can use policy settings to control related options, such as the server to which users can connect remotely and access Work Folders. You control the connection server in one of two ways:

■ By specifying the exact URL of a file server hosting the Work Folders for the user, such as https://server29.cpandl.com

■ By specifying the URL used within your organization for Work Folders discovery, such as https://workfolders.cpandl.com

REAL WORLD Clients use secure encrypted communications to connect to work folders as long as the file servers hosting the Work Folders have valid SSL certificates. When a device initiates an SSL connection, the server sends the certificate to the client. The client evaluates the certificate and continues only if the certificate is valid and can be trusted. If you configure a connection to an exact URL, the client can connect directly to the specified sever and synchronize data in Work Folders. The server’s certificate must have a Common Name (CN) or a Subject Alternative Name (SAN) that matches the host header in the request. For example, if the client makes a request to https://server18.cpandl.com, the CN or SAN must be server18.cpandl.com.

In Group Policy, you specify the URL used within your organization for Work Folders discovery by using the Specify Work Folders Settings policy found under Administrative Templates policies for User Configuration\Windows Components\Work Folders. Any server configured with Work Folders acts as a discovery server by default. If you configure a discovery URL, a client connects to one of several servers, and the email address of the user is used to discover which specific server hosts the Work Folders for the client. The client is then connected to this server. Each discovery server will need to have a certificate with multiple Subject Alternative Names, which includes the server name and the discovery name. For example,

if a client makes a request to https://workfolders.cpandl.com and connects to FileServer11.cpandl.com, the server’s certificate must have a CN or SAN of fileserver11. cpandl.com and a SAN of workfolders.cpandl.com.

If you want to configure Work Folders in Group Policy, use the following technique:

1. Access Group Policy for the system, site, domain, or OU with which you want to work. Next, access the Work Folders node by using the Administrative Templates policies for User Configuration under Windows Components\Work Folders.

2. Double-tap or double-click Specify Work Folders Settings, and then select Enabled.

3. In the World Folders URL text box, enter the URL of the file server that hosts the Work Folders for the user or the URL used within your organization for Work Folders discovery.

4. If you want to prevent users from changing settings when setting up Work Folders, select Force Automatic Setup.

5. Tap or click OK.

A server designated as a certificate authority (CA) is responsible for issuing digital certificates and managing certificate revocation lists (CRLs). Servers running Windows Server can be configured as certificate authorities by installing Active Directory Certificate Services. Computers and users can use certificates for authentication and encryption.

In an enterprise configuration, enterprise CAs are used for automatic enrollment. This means authorized users and computers can request a certificate, and the certificate authority can automatically process the certificate request so that the users and computers can immediately install the certificate.

Group Policy controls the way automatic enrollment works. When you install enterprise CAs, automatic enrollment policies for users and computers are enabled automatically. The policy for computer certificate enrollment is Certificate Services Client-Auto-Enrollment Settings under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. The policy for user certificate enrollment is Certificate Services Client-Auto-Enrollment under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

You can configure automatic enrollment by following these steps:

1. In the GPMC, press and hold or right-click the GPO with which you want to work, and then tap or click Edit.

2. In the policy editor, access User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies or Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies as appropriate for the type of policy you want to review.

3. Double-tap or double-click Certificate Services Client-Auto-Enrollment. To disable automatic enrollment, select Disabled from the Configuration Model list, tap or click OK, and then skip the remaining steps in this procedure. To enable automatic enrollment, select Enabled from the Configuration Model list.