deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into lomayor-ah-renames

Browse Source
This commit is contained in:
lomayor 2020-01-03 11:15:00 -08:00
commit 1159a2aee0
77 changed files with 804 additions and 716 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -45,6 +45,11 @@
"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker",
"redirect_document_id": false
},
{
"source_path": "devices/hololens/hololens-find-and-save-files.md",
"redirect_url": "https://docs.microsoft.com/hololens/holographic-data",
"redirect_document_id": false
},
{
"source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md",
"redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates",

2
devices/hololens/TOC.md
View File

@ -28,7 +28,7 @@
# Navigating Windows Holographic
## [Start menu and mixed reality home](holographic-home.md)
## [Use your voice with HoloLens](hololens-cortana.md)
## [Find and save files](hololens-find-and-save-files.md)
## [Find and save files](holographic-data.md)
## [Create, share, and view photos and video](holographic-photos-and-videos.md)
# User management and access management

100
devices/hololens/holographic-data.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Find and save files on HoloLens
description: Use File Explorer on HoloLens to view and manage files on your device
keywords: how-to, file picker, files, photos, videos, pictures, OneDrive, storage, file explorer
ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
author: mattzmsft
ms.author: mazeller
manager: v-miegge
ms.reviewer: jarrettrenshaw
ms.date: 12/30/2019
keywords: hololens
ms.prod: hololens
ms.sitesec: library
ms.topic: article
audience: ITPro
ms.localizationpriority: medium
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Find, open, and save files on HoloLens
Files you create on HoloLens, including photos and videos, are saved directly to your HoloLens device. View and manage them in the same way you would manage files on Windows 10:
- Using the File Explorer app to access local folders.
- Within an app's storage.
- In a special folder (such as the video or music library).
- Using a storage service that includes an app and file picker (such as OneDrive).
- Using a desktop PC connected to your HoloLens by using a USB cable, using MTP (Media Transfer Protocol) support.
## View files on HoloLens using File Explorer
> Applies to all HoloLens 2 devices and HoloLens (1st gen) as of the [Windows 10 April 2018 Update (RS4) for HoloLens](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018).
Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to **Start** > **All apps** > **File Explorer** to get started.
> [!TIP]
> If there are no files listed in File Explorer, select **This Device** in the top left pane.
If you dont see any files in File Explorer, the "Recent" filter may be active (clock icon is highlighted in left pane). To fix this, select the **This Device** document icon in the left pane (beneath the clock icon), or open the menu and select **This Device**.
## Find and view your photos and videos
[Mixed reality capture](holographic-photos-and-videos.md) lets you take mixed reality photos and videos on HoloLens. These photos and videos are saved to the device's Camera Roll folder.
You can access photos and videos taken with HoloLens by:
- accessing the Camera Roll directly through the [Photos app](holographic-photos-and-videos.md).
- uploading photos and videos to cloud storage by syncing your photos and videos to OneDrive.
- using the Mixed Reality Capture page of the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#mixed-reality-capture).
### Photos app
The Photos app is one of the default apps on the **Start** menu, and comes built-in with HoloLens. Learn more about [using the Photos app to view content](holographic-photos-and-videos.md).
You can also install the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store to sync photos to other devices.
### OneDrive app
[OneDrive](https://onedrive.live.com/) lets you access, manage, and share your photos and videos with any device and with any user. To access the photos and videos captured on HoloLens, download the [OneDrive app](https://www.microsoft.com/p/onedrive/9wzdncrfj1p3) from the Microsoft Store on your HoloLens. Once downloaded, open the OneDrive app and select **Settings** > **Camera upload**, and turn on **Camera upload**.
### Connect to a PC
If your HoloLens is running the [Windows 10 April 2018 update](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018) or later, you can connect your HoloLens to a Windows 10 PC by using a USB cable to browse photos and videos on the device by using MTP (media transfer protocol). You'll need to make sure the device is unlocked to browse files if you have a PIN or password set up on your device.
If you have enabled the [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal), you can use it to browse, retrieve, and manage the photos and videos stored on your device.
## Access files within an app
If an application saves files on your device, you can use that application to access them.
### Requesting files from another app
An application can request to save a file or open a file from another app by using [file pickers](https://docs.microsoft.com/windows/mixed-reality/app-model#file-pickers).
### Known folders
HoloLens supports a number of [known folders](https://docs.microsoft.com/windows/mixed-reality/app-model#known-folders) that apps can request permission to access.
## View HoloLens files on your PC
Similar to other mobile devices, connect HoloLens to your desktop PC using MTP (Media Transfer Protocol) and open File Explorer on the PC to access your HoloLens libraries for easy transfer.
To see your HoloLens files in File Explorer on your PC:
1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
> [!NOTE]
> HoloLens (1st gen) does not support connecting to external hard drives or SD cards.
## Sync to the cloud
To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.

2
devices/hololens/hololens-FAQ.md
View File

@ -137,7 +137,7 @@ Try walking around and looking at the area where you're placing the app so HoloL
Free up some storage space by doing one or more of the following:
- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md)
- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md)
- Delete some pictures and videos in the Photos app.
- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.)

66
devices/hololens/hololens-find-and-save-files.md
View File

@ -1,66 +0,0 @@
---
title: Find and save files on HoloLens
description: Use File Explorer on HoloLens to view and manage files on your device
ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a
ms.reviewer: jarrettrenshaw
ms.date: 07/01/2019
manager: v-miegge
keywords: hololens
ms.prod: hololens
ms.sitesec: library
author: v-miegge
ms.author: v-miegge
ms.topic: article
ms.localizationpriority: medium
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Find and save files on HoloLens
Add content from [Find and save files](https://docs.microsoft.com/windows/mixed-reality/saving-and-finding-your-files)
Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens.
## View files on HoloLens
Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to Start > All apps > File Explorer on HoloLens to get started.
>[!TIP]
>If there are no files listed in File Explorer, select **This Device** in the top left pane.
## View HoloLens files on your PC
To see your HoloLens files in File Explorer on your PC:
1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens.
1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device.
>[!TIP]
>To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**.
## View HoloLens files on Windows Device Portal
>[!NOTE]
>To use Device Portal you must enable [Developer Mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal).
1. Enable Developer Mode and Device Portal on your HoloLens. (See note above if not enabled.)
1. Navigate to the Device Portal page on your PC.
1. To connect to a HoloLens connected to your PC type in 127.0.0.1:10080/ in your browser.
1. To connect to a HoloLens wirelessly instead navigate to your IP address.
>[!TIP]
>You may need to install a certificate, OR you may see more details and navigate to the website anyways. (Path per web broswer will differ.)
1. Once succesfully connected, on the left side of the windw you can navigate to the [File Explorer](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#file-explorer) workspace.
## Sync to the cloud
To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens.
>[!TIP]
>HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up.

28
devices/hololens/hololens-troubleshooting.md
View File

@ -33,24 +33,26 @@ If your HoloLens becomes frozen or unresponsive:
If these steps don't work, you can try [recovering your device](hololens-recovery.md).
## Holograms don't look good or are moving around
## Holograms don't look good
If your holograms are unstable, jumpy, or dont look right, try one of these fixes:
If your holograms are unstable, jumpy, or dont look right, try:
- Clean your device visor and make sure that nothing is obstructing the sensors.
- Make sure that theres enough light in your room.
- Try walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
- Cleaning your device visor and sensor bar on the front of your HoloLens.
- Increasing the light in your room.
- Walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
## HoloLens doesnt respond to my gestures
## HoloLens doesnt respond to gestures
To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands).
To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring.
Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame).
If your environment is too dark, HoloLens might not see your hand, so make sure that theres enough light.
If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
## HoloLens doesnt respond to my voice commands.
## HoloLens doesnt respond to my voice commands
If Cortana isnt responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
@ -64,10 +66,6 @@ If HoloLens cant map or load your space, it enters Limited mode and you won
- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
- If the correct space is loaded and youre still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message
If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around).
## My HoloLens cant tell what space Im in
If your HoloLens cant identify and load the space youre in automatically, check the following factors:
@ -90,3 +88,7 @@ Youll need to free up some storage space by doing one or more of the followin
## My HoloLens cant create a new space
The most likely problem is that youre running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
## The HoloLens emulators isn't working
Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting).

2
devices/surface-hub/surface-hub-2s-account.md
View File

@ -47,7 +47,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell.
- **Skype for Business:** For Skype for Business only (on-premises or online), you can enable the Skype for Business object by running **Enable-CsMeetingRoom** to enable features such as Meeting room prompt for audio and Lobby hold.
- **Calendar:** Set **Calendar Auto processing** for this account.
- **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account.
## Create account using PowerShell
Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell.

24
devices/surface/windows-autopilot-and-surface-devices.md
View File

@ -1,5 +1,5 @@
---
title: Windows Autopilot and Surface Devices
title: Windows Autopilot and Surface devices
ms.reviewer:
manager: dansimp
description: Find out about Windows Autopilot deployment options for Surface devices.
@ -18,21 +18,27 @@ ms.date: 11/26/2019
# Windows Autopilot and Surface devices
Windows Autopilot is a cloud-based deployment technology available in Windows 10. Using Windows Autopilot, you can remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot registered devices are identified over the internet at first boot using a unique device signature, known as a hardware hash, and automatically enrolled and configured using modern management solutions such as Azure Active Directory (AAD) and Mobile Device Management (MDM).
Windows Autopilot is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot to remotely deploy and configure devices in a zero-touch process right out of the box.
With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process eliminates need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a *hardware hash*. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.
## Modern management
Autopilot is the recommended deployment option for Surface devices including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed to be deployed with Autopilot.
Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot.
For the best experience, enroll your Surface devices with the assistance of a Microsoft Cloud Solution Provider. Doing so enables you to manage UEFI firmware settings on Surface devices directly from Intune, eliminating the need to physically touch devices for certificate management. For more information, see [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details.
## Windows version considerations
Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. All new Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 ship with Windows 10 Version 1903 or above.
Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.
These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later.
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is performed by select Surface partners that enroll devices on an organizations behalf. Devices can then be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
Surface partners enabled for Windows Autopilot include:
Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management.
Surface partners that are enabled for Windows Autopilot include:
- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
- [Atea](https://www.atea.com/)
@ -47,6 +53,6 @@ Surface partners enabled for Windows Autopilot include:
- [Techdata](https://www.techdata.com/)
## Learn more
For more information about Windows Autopilot, refer to:
For more information about Windows Autopilot, see:
- [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot)
- [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements)

2
mdop/mbam-v25/upgrade-mbam2.5-sp1.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: Normal
# Upgrade from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the Microsoft Desktop Optimization Pack (MDOP) July 2018 servicing update in a standalone configuration.
This article provides step-by-step instructions to upgrade Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 Service Pack 1 (SP1) together with the [Microsoft Desktop Optimization Pack (MDOP) May 2019 servicing update](https://support.microsoft.com/help/4505175/may-2019-servicing-release-for-microsoft-desktop-optimization-pack) in a standalone configuration.
In this guide, we will use a two-server configuration. One server will be a database server that's running Microsoft SQL Server 2016. This server will host the MBAM databases and reports. The other server will be a Windows Server 2012 R2 web server. This server will host "Administration and Monitoring" and "Self-Service Portal."

4
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseDataProtection CSP
description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings.
description: The EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
ms.reviewer:
manager: dansimp
@ -249,7 +249,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (dafault) - Revoke keys
- 1 (default) - Revoke keys
<p style="margin-left: 20px">Supported operations are Add, Get, Replace and Delete. Value type is integer.

2
windows/client-management/mdm/networkqospolicy-ddf.md
View File

@ -1,6 +1,6 @@
---
title: NetworkQoSPolicy DDF
description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML
ms.assetid:
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/passportforwork-ddf.md
View File

@ -1,6 +1,6 @@
---
title: PassportForWork DDF
description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/secureassessment-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: SecureAssessment DDF file
description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML.
description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A
ms.reviewer:
manager: dansimp

2
windows/configuration/cortana-at-work/cortana-at-work-crm.md
View File

@ -1,6 +1,6 @@
---
title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
description: How to set up Cortana to help your salespeople get proactive insights on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time.
description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

101
windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
View File

@ -1,50 +1,51 @@
---
title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: customize, customization, deploy, features, tools
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro author: greg-lindsay
ms.topic: article
---
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](../images/mdt-09-fig01.png)
Figure 1. The machines used in this topic.
## In this section
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
---
title: Configure MDT settings (Windows 10)
description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: laurawi
ms.author: greglin
keywords: customize, customization, deploy, features, tools
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
![figure 1](../images/mdt-09-fig01.png)
Figure 1. The machines used in this topic.
## In this section
- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
- [Use web services in MDT](use-web-services-in-mdt.md)
- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)

2
windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md
View File

@ -1,6 +1,6 @@
---
title: Integrate Configuration Manager with MDT (Windows 10)
description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system.
description: Understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy Windows.
ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5
ms.reviewer:
manager: laurawi

2
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: laurawi

139
windows/deployment/planning/sua-users-guide.md
View File

@ -1,69 +1,70 @@
---
title: SUA User's Guide (Windows 10)
description: You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# SUA User's Guide
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
You can use SUA in either of the following ways:
- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="using-the-sua-wizard.md" data-raw-source="[Using the SUA Wizard](using-the-sua-wizard.md)">Using the SUA Wizard</a></p></td>
<td align="left"><p>The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="using-the-sua-tool.md" data-raw-source="[Using the SUA Tool](using-the-sua-tool.md)">Using the SUA Tool</a></p></td>
<td align="left"><p>By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.</p></td>
</tr>
</tbody>
</table>
---
title: SUA User's Guide (Windows 10)
description: Standard User Analyzer (SUA) can test your apps and monitor API calls to detect compatibility issues related to Windows' User Account Control (UAC) feature.
ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# SUA User's Guide
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
You can use SUA in either of the following ways:
- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for additional analysis.
- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p><a href="using-the-sua-wizard.md" data-raw-source="[Using the SUA Wizard](using-the-sua-wizard.md)">Using the SUA Wizard</a></p></td>
<td align="left"><p>The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="using-the-sua-tool.md" data-raw-source="[Using the SUA Tool](using-the-sua-tool.md)">Using the SUA Tool</a></p></td>
<td align="left"><p>By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.</p></td>
</tr>
</tbody>
</table>

227
windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
View File

@ -1,113 +1,114 @@
---
title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied.
ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# Using the Sdbinst.exe Command-Line Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
## Command-Line Options for Deploying Customized Database Files
Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
```
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Sdbinst.exe /?
Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
-? - print this help text.
-p - Allow SDBs containing patches.
-q - Quiet mode: prompts are auto-accepted.
-u - Uninstall.
-g {guid} - GUID of file (uninstall only).
-n "name" - Internal name of file (uninstall only).
C:\Windows\system32>_
```
The command-line options use the following conventions:
Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>-?</p></td>
<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
<p>For example,</p>
<p><code>sdbinst.exe -?</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-p</p></td>
<td align="left"><p>Allows SDBs installation with Patches</p>
<p>For example,</p>
<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-q</p></td>
<td align="left"><p>Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).</p>
<p>For example,</p>
<p><code>sdbinst.exe -q</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-u <em>filepath</em></p></td>
<td align="left"><p>Performs an uninstallation of the specified database.</p>
<p>For example,</p>
<p><code>sdbinst.exe -u C:\example.sdb</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-g <em>GUID</em></p></td>
<td align="left"><p>Specifies the customized database to uninstall by a globally unique identifier (GUID).</p>
<p>For example,</p>
<p><code>sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-n <em>&quot;name&quot;</em></p></td>
<td align="left"><p>Specifies the customized database to uninstall by file name.</p>
<p>For example,</p>
<p><code>sdbinst.exe -n &quot;My_Database&quot;</code></p></td>
</tr>
</tbody>
</table>
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
---
title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command line options.
ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
# Using the Sdbinst.exe Command-Line Tool
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
After you deploy and store the customized databases on each of your local computers, you must register the database files. Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application.
## Command-Line Options for Deploying Customized Database Files
Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
```
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>Sdbinst.exe /?
Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
-? - print this help text.
-p - Allow SDBs containing patches.
-q - Quiet mode: prompts are auto-accepted.
-u - Uninstall.
-g {guid} - GUID of file (uninstall only).
-n "name" - Internal name of file (uninstall only).
C:\Windows\system32>_
```
The command-line options use the following conventions:
Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>-?</p></td>
<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
<p>For example,</p>
<p><code>sdbinst.exe -?</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-p</p></td>
<td align="left"><p>Allows SDBs installation with Patches</p>
<p>For example,</p>
<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-q</p></td>
<td align="left"><p>Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).</p>
<p>For example,</p>
<p><code>sdbinst.exe -q</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-u <em>filepath</em></p></td>
<td align="left"><p>Performs an uninstallation of the specified database.</p>
<p>For example,</p>
<p><code>sdbinst.exe -u C:\example.sdb</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-g <em>GUID</em></p></td>
<td align="left"><p>Specifies the customized database to uninstall by a globally unique identifier (GUID).</p>
<p>For example,</p>
<p><code>sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-n <em>&quot;name&quot;</em></p></td>
<td align="left"><p>Specifies the customized database to uninstall by file name.</p>
<p>For example,</p>
<p><code>sdbinst.exe -n &quot;My_Database&quot;</code></p></td>
</tr>
</tbody>
</table>
## Related topics
[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)

2
windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
View File

@ -1,6 +1,6 @@
---
title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
ms.reviewer:
manager: laurawi

87
windows/deployment/volume-activation/volume-activation-management-tool.md
View File

@ -1,43 +1,44 @@
---
title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
description: The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
---
# Volume Activation Management Tool (VAMT) Technical Reference
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
- Windows® 7 or above
- Windows Server 2008 R2 or above
**Important**  
VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above).
VAMT is only available in an EN-US (x86) package.
## In this Section
|Topic |Description |
|------|------------|
|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
---
title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10)
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
ms.assetid: 1df0f795-f41c-473b-850c-e98af1ad2f2a
ms.reviewer:
manager: laurawi
ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: activation
audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
---
# Volume Activation Management Tool (VAMT) Technical Reference
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
- Windows® 7 or above
- Windows Server 2008 R2 or above
**Important**  
VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above).
VAMT is only available in an EN-US (x86) package.
## In this Section
|Topic |Description |
|------|------------|
|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. |
|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. |
|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |

552
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -1,275 +1,277 @@
---
title: Windows 10 deployment scenarios (Windows 10)
description: To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider.
ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
ms.reviewer:
manager: laurawi
ms.audience: itpro author: greg-lindsay
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.date: 11/06/2018
audience: itpro author: greg-lindsay
ms.topic: article
---
# Windows 10 deployment scenarios
**Applies to**
- Windows 10
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
<table border="0">
<tr><td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Category</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Scenario</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Description</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>More information</b></td></tr>
<tr><td align='center' valign='middle' style='width:16%; border:1;' rowspan="2">Modern</td>
<td align="center">
[Windows Autopilot](#windows-autopilot)</td>
<td align="center" style="width:16%; border:1;">
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows Autopilot</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[In-place upgrade](#in-place-upgrade)
</td>
<td align="center" style="width:16%; border:1;">
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;" rowspan="3">
Dynamic
</td>
<td align="center" style="width:16%; border:1;">
[Subscription Activation](#windows-10-subscription-activation)
</td>
<td align="center" style="width:16%; border:1;">
Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation">Windows 10 Subscription Activation</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[AAD / MDM](#dynamic-provisioning)
</td>
<td align="center" style="width:16%; border:1;">
The device is automatically joined to AAD and configured by MDM.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm">Azure Active Directory integration with MDM</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Provisioning packages](#dynamic-provisioning)
</td>
<td align="center" style="width:16%; border:1;">
Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/configuration/configure-devices-without-mdm">Configure devices without MDM</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;" rowspan="3">
Traditional
</td>
<td align="center" style="width:16%; border:1;">
[Bare metal](#new-computer)
</td>
<td align="center" style="width:16%; border:1;">
Deploy a new device, or wipe an existing device and deploy with a fresh image.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt">Deploy a Windows 10 image using MDT</a><br><a href="https://docs.microsoft.com/sccm/osd/deploy-use/install-new-windows-version-new-computer-bare-metal">Install a new version of Windows on a new computer with System Center Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Refresh](#computer-refresh)
</td>
<td align="center" style="width:16%; border:1;">
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10">Refresh a Windows 7 computer with Windows 10</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager">Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Replace](#computer-replace)
</td>
<td align="center" style="width:16%; border:1;">
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer">Replace a Windows 7 computer with a Windows 10 computer</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager">Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
</td>
</tr>
</table>
<br>&nbsp;
>[!IMPORTANT]
>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
### Windows Autopilot
Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
### In-place upgrade
For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
## Dynamic provisioning
For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
### Windows 10 Subscription Activation<A ID="windows-10-subscription-activation"></A>
Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
### Provisioning package configuration
Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
These scenarios can be used to enable “choose your own device” (CYOD) programs where the organizations users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
## Traditional deployment:
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
- **New computer.** A bare-metal deployment of a new machine.
- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
### New computer
Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
The deployment process for the new machine scenario is as follows:
1. Start the setup from boot media (CD, USB, ISO, or PXE).
2. Wipe the hard disk clean and create new volume(s).
3. Install the operating system image.
4. Install other applications (as part of the task sequence).
After taking these steps, the computer is ready for use.
### Computer refresh
A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
The deployment process for the wipe-and-load scenario is as follows:
1. Start the setup on a running operating system.
2. Save the user state locally.
3. Wipe the hard disk clean (except for the folder containing the backup).
4. Install the operating system image.
5. Install other applications.
6. Restore the user state.
After taking these steps, the machine is ready for use.
### Computer replace
A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
The deployment process for the replace scenario is as follows:
1. Save the user state (data and settings) on the server through a backup job on the running operating system.
2. Deploy the new computer as a bare-metal deployment.
**Note**<br>In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
---
title: Windows 10 deployment scenarios (Windows 10)
description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5
ms.reviewer:
manager: laurawi
ms.audience: itpro
author: greg-lindsay
keywords: upgrade, in-place, configuration, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.date: 11/06/2018
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Windows 10 deployment scenarios
**Applies to**
- Windows 10
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
<table border="0">
<tr><td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Category</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Scenario</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Description</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>More information</b></td></tr>
<tr><td align='center' valign='middle' style='width:16%; border:1;' rowspan="2">Modern</td>
<td align="center">
[Windows Autopilot](#windows-autopilot)</td>
<td align="center" style="width:16%; border:1;">
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot">Overview of Windows Autopilot</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[In-place upgrade](#in-place-upgrade)
</td>
<td align="center" style="width:16%; border:1;">
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit">Perform an in-place upgrade to Windows 10 with MDT</a><br><a href="https://docs.microsoft.com/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager">Perform an in-place upgrade to Windows 10 using Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;" rowspan="3">
Dynamic
</td>
<td align="center" style="width:16%; border:1;">
[Subscription Activation](#windows-10-subscription-activation)
</td>
<td align="center" style="width:16%; border:1;">
Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation">Windows 10 Subscription Activation</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[AAD / MDM](#dynamic-provisioning)
</td>
<td align="center" style="width:16%; border:1;">
The device is automatically joined to AAD and configured by MDM.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm">Azure Active Directory integration with MDM</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Provisioning packages](#dynamic-provisioning)
</td>
<td align="center" style="width:16%; border:1;">
Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/configuration/configure-devices-without-mdm">Configure devices without MDM</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;" rowspan="3">
Traditional
</td>
<td align="center" style="width:16%; border:1;">
[Bare metal](#new-computer)
</td>
<td align="center" style="width:16%; border:1;">
Deploy a new device, or wipe an existing device and deploy with a fresh image.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt">Deploy a Windows 10 image using MDT</a><br><a href="https://docs.microsoft.com/sccm/osd/deploy-use/install-new-windows-version-new-computer-bare-metal">Install a new version of Windows on a new computer with System Center Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Refresh](#computer-refresh)
</td>
<td align="center" style="width:16%; border:1;">
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10">Refresh a Windows 7 computer with Windows 10</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager">Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
</td>
</tr>
<tr>
<td align="center" style="width:16%; border:1;">
[Replace](#computer-replace)
</td>
<td align="center" style="width:16%; border:1;">
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
</td>
<td align="center" style="width:16%; border:1;">
<a href="https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer">Replace a Windows 7 computer with a Windows 10 computer</a><br><a href="https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager">Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager</a>
</td>
</tr>
</table>
<br>&nbsp;
>[!IMPORTANT]
>The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
>Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
### Windows Autopilot
Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
### In-place upgrade
For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like System Center Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
## Dynamic provisioning
For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
### Windows 10 Subscription Activation<A ID="windows-10-subscription-activation"></A>
Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
### Provisioning package configuration
Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
These scenarios can be used to enable “choose your own device” (CYOD) programs where the organizations users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
## Traditional deployment:
New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [System Center Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
- **New computer.** A bare-metal deployment of a new machine.
- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
### New computer
Also called a "bare metal" deployment. This scenario occurs when you have a blank machine you need to deploy, or an existing machine you want to wipe and redeploy without needing to preserve any existing data. The setup starts from a boot media, using CD, USB, ISO, or Pre-Boot Execution Environment (PXE). You can also generate a full offline media that includes all the files needed for a client deployment, allowing you to deploy without having to connect to a central deployment share. The target can be a physical computer, a virtual machine, or a Virtual Hard Disk (VHD) running on a physical computer (boot from VHD).
The deployment process for the new machine scenario is as follows:
1. Start the setup from boot media (CD, USB, ISO, or PXE).
2. Wipe the hard disk clean and create new volume(s).
3. Install the operating system image.
4. Install other applications (as part of the task sequence).
After taking these steps, the computer is ready for use.
### Computer refresh
A refresh is sometimes called wipe-and-load. The process is normally initiated in the running operating system. User data and settings are backed up and restored later as part of the deployment process. The target can be the same as for the new computer scenario.
The deployment process for the wipe-and-load scenario is as follows:
1. Start the setup on a running operating system.
2. Save the user state locally.
3. Wipe the hard disk clean (except for the folder containing the backup).
4. Install the operating system image.
5. Install other applications.
6. Restore the user state.
After taking these steps, the machine is ready for use.
### Computer replace
A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
The deployment process for the replace scenario is as follows:
1. Save the user state (data and settings) on the server through a backup job on the running operating system.
2. Deploy the new computer as a bare-metal deployment.
**Note**<br>In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with System Center Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)

2
windows/deployment/windows-deployment-scenarios-and-tools.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 deployment scenarios and tools
description: To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process.
description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
ms.assetid: 0d6cee1f-14c4-4b69-b29a-43b0b327b877
ms.reviewer:
manager: laurawi

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -1,6 +1,6 @@
---
title: Manage Windows Defender Credential Guard (Windows 10)
description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library

2
windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello biometrics in the enterprise (Windows 10)
description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
ms.reviewer:
keywords: Windows Hello, enterprise biometrics

2
windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
View File

@ -1,6 +1,6 @@
---
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: This topic for IT professional provides information about how smart card technology can fit into your authentication design, and provides links to additional topics about virtual smart cards.
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
View File

@ -1,6 +1,6 @@
---
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled.
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -1,6 +1,6 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection

2
windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
View File

@ -1,6 +1,6 @@
---
title: Audit Detailed Directory Service Replication (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Detailed Directory Service Replication, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
description: The Audit Detailed Directory Service Replication setting decides if audit events contain detailed tracking info about data replicated between domain controllers
ms.assetid: 1b89c8f5-bce7-4b20-8701-42585c7ab993
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -1,6 +1,6 @@
---
title: Audit File System (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
description: The Advanced Security Audit policy setting, Audit File System, determines if audit events are generated when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-group-membership.md
View File

@ -1,6 +1,6 @@
---
title: Audit Group Membership (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-handle-manipulation.md
View File

@ -1,6 +1,6 @@
---
title: Audit Handle Manipulation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
description: The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
View File

@ -1,6 +1,6 @@
---
title: Audit IPsec Quick Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
description: The policy setting, Audit IPsec Quick Mode, decides if audit events are generated for the results of the IKE protocol and AuthIP during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-logoff.md
View File

@ -1,6 +1,6 @@
---
title: Audit Logoff (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
description: The Advanced Security Audit policy setting, Audit Logoff, determines if audit events are generated when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
View File

@ -1,6 +1,6 @@
---
title: Audit Other Logon/Logoff Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
description: The Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, determines if Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/audit-other-object-access-events.md
View File

@ -1,6 +1,6 @@
---
title: Audit Other Object Access Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
description: The policy setting, Audit Other Object Access Events, determines if audit events are generated for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.reviewer:
manager: dansimp

2
windows/security/threat-protection/auditing/event-4952.md
View File

@ -1,6 +1,6 @@
---
title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
description: Describes security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
View File

@ -1,6 +1,6 @@
---
title: File System (Global Object Access Auditing) (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, File System (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
description: The policy setting, File System (Global Object Access Auditing), enables you to configure a global system access control list (SACL) for an entire computer.
ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
View File

@ -1,6 +1,6 @@
---
title: Monitor resource attribute definitions (Windows 10)
description: This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
description: Learn how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
View File

@ -1,6 +1,6 @@
---
title: Monitor the use of removable storage devices (Windows 10)
description: This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
description: Learn how advanced security auditing options can be used to monitor attempts to use removable storage devices to access network resources.
ms.assetid: b0a9e4a5-b7ff-41c6-96ff-0228d4ba5da8
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
View File

@ -1,6 +1,6 @@
---
title: Monitor user and device claims during sign-in (Windows 10)
description: This topic for the IT professional describes how to monitor user and device claims that are associated with a users security token when you are using advanced security auditing options to monitor dynamic access control objects.
description: Learn how to monitor user and device claims that are associated with a users security token. This advice assumes you have deployed Dynamic Access Control.
ms.assetid: 71796ea9-5fe4-4183-8475-805c3c1f319f
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
View File

@ -1,6 +1,6 @@
---
title: Using advanced security auditing options to monitor dynamic access control objects (Windows 10)
description: This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
description: Domain admins can set up advanced security audit options in Windows 10 to target specific users, or monitor potentially significant activity on multiple devices
ms.assetid: 0d2c28ea-bdaf-47fd-bca2-a07dce5fed37
ms.reviewer:
ms.author: dansimp

BIN
windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 288 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 305 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secrec_flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 498 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 370 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 305 KiB

4
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -19,6 +19,10 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Mac
## 100.80.42
- Bug fixes
## 100.79.42
- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Cloud App Security integration overview
ms.reviewer:
description: Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage
description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) integrates with Cloud App Security by forwarding all cloud app networking activities.
keywords: cloud, app, networking, visibility, usage
search.product: eADQiWindows 10XVcnh
search.appverid: met150

13
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,9 +44,18 @@ The following features are included in the preview release:
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR>Report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management application version end-of-life information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#navigate-through-your-security-recommendations)
<BR>Application versions which have reached their end-of-life are labeled or tagged as such so you are aware that they will no longer be supported, and can take action to either install the latest version or uninstall and replace them. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR>See a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.

17
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -182,6 +182,23 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
```
## Conduct an inventory of software or software versions which have reached their end-of-life
End-of-life for software or software versions means that they will no longer be supported nor serviced. When you use software or software versions which have reached their end-of-life, you're exposing your organization to security vulnerabilities, legal, and financial risks.
It is crucial for you as Security and IT Administrators to work together and ensure that your organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
To conduct an inventory of software or software versions which have reached their end of life:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options if you want to see the list of software recommendations associated with software which have reached their end-of-life (tagged as **EOL software**). Select **Software update** from **Remediation Type** options if you want to see the list of software recommendations associated with software and software versions which have reached their end-of-life (tagged as **EOL versions installed**).
3. Select a software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png)
4. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-life, and how many vulnerabilities were discovered in it.
![Screenshot of software details for a software that reached its end of life](images/secrec_sw_details.png)
After you have identified which software and software versions are vulnerable due to its end-of-life status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

8
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -1,6 +1,6 @@
---
title: What's in the dashboard and what it means for my organization's security posture
description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions to address cybersecurity threat vulnerabilities and build their organization's security resilience.
description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
@ -52,16 +52,16 @@ Area | Description
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, whether the software in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of software, versions, weaknesses, whether theres an exploit found on the software, whether the software has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Software inventory** | See the list of software, versions, weaknesses, whether theres an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
**Organization Exposure score** | See the current state of your organizations device exposure to threats and vulnerabilities. Several factors affect your organizations exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information.
**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organizations risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organizations risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your networks devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.

2
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -1,6 +1,6 @@
---
title: Exposure score
description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats.
keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
search.product: eADQiWindows 10XVcnh
search.appverid: met150

7
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -50,8 +50,11 @@ You can access the remediation page in a few places in the portal:
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
*Remediation in the navigation menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.
2. Select the remediation activity that you need to see or process.
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Software update** from the **Remediation type** filter. Select **In progress** then click **Apply**.
![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
2. Select the remediation activity that you need to see or process.
![Screenshot of the remediation page flyout for a software which reached its end-of-life](images/remediation_flyouteolsw.png)
*Top remediation activities widget in the dashboard*
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** widget. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.

2
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -53,7 +53,7 @@ You can click on each one of them and see the details, the description, the pote
From that page, you can do any of the following depending on what you need to do:
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software end-of-life, and charts so you can see the exposure trend over time.
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.

5
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -28,9 +28,10 @@ ms.date: 04/11/2019
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software have reached their end-of-life.
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life.
![Screenshot of software inventory page](images/software_inventory_filter.png)
2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated.
## How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.

2
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -35,7 +35,7 @@ For more information preview features, see [Preview features](https://docs.micro
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management application end-of-life tag](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) <BR>Applications which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
- [Threat & Vulnerability Management application end-of-life tag](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) <BR>Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
## October 2019

2
windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
View File

@ -1,6 +1,6 @@
---
title: Allow log on through Remote Desktop Services (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on through Remote Desktop Services security policy setting.
description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow log on through Remote Desktop Services.
ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
View File

@ -1,6 +1,6 @@
---
title: DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Windows 10)
description: Describes the best practices, location, values, and security considerations for the DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax security policy setting.
description: Best practices and more for the security policy setting, DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax.
ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe
ms.reviewer:
ms.author: dansimp

4
windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
View File

@ -1,6 +1,6 @@
---
title: Domain member Digitally encrypt or sign secure channel data (always) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt or sign secure channel data (always) security policy setting.
description: Best practices, location, values, and security considerations for the policy setting, Domain member Digitally encrypt or sign secure channel data (always).
ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf
ms.reviewer:
ms.author: dansimp
@ -37,7 +37,7 @@ The following policy settings determine whether a secure channel can be establis
Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows othat has joined a domain to have access to the user account database in its domain and in any trusted domains.
To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains.
To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data.

2
windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
View File

@ -1,6 +1,6 @@
---
title: Domain member Digitally encrypt secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally encrypt secure channel data (when possible) security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Domain member Digitally encrypt secure channel data (when possible).
ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
View File

@ -1,6 +1,6 @@
---
title: Domain member Digitally sign secure channel data (when possible) (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Domain member Digitally sign secure channel data (when possible) security policy setting.
description: Best practices, location, values, and security considerations for the security policy setting, Domain member Digitally sign secure channel data (when possible).
ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
View File

@ -1,6 +1,6 @@
---
title: Interactive logon Message title for users attempting to log on (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Message title for users attempting to log on security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
View File

@ -1,6 +1,6 @@
---
title: Interactive logon Smart card removal behavior (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Smart card removal behavior security policy setting.
description: Best practices, location, values, policy management and security considerations for the security policy setting, Interactive logon Smart card removal behavior.
ms.assetid: 61487820-9d49-4979-b15d-c7e735999460
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
View File

@ -1,6 +1,6 @@
---
title: Maximum tolerance for computer clock synchronization (Windows 10)
description: Describes the best practices, location, values, policy management, and security considerations for the Maximum tolerance for computer clock synchronization security policy setting.
description: Best practices, location, values, policy management, and security considerations for the policy setting, Maximum tolerance for computer clock synchronization.
ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft network server Server SPN target name validation level (Windows 10)
description: Describes the best practices, location, and values, policy management and security considerations for the Microsoft network server Server SPN target name validation level security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Server SPN target name validation level.
ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
View File

@ -1,6 +1,6 @@
---
title: Network access Remotely accessible registry paths (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Network access Remotely accessible registry paths security policy setting.
description: Best practices, location, values, policy management and security considerations for the policy setting, Network access Remotely accessible registry paths.
ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
View File

@ -1,6 +1,6 @@
---
title: Network security Restrict NTLM Add server exceptions in this domain (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network security Restrict NTLM Add server exceptions in this domain security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Network security Restrict NTLM Add server exceptions in this domain.
ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
View File

@ -1,6 +1,6 @@
---
title: Network security Restrict NTLM Audit NTLM authentication in this domain (Windows 10)
description: Describes the best practices, location, values, management aspects, and security considerations for the Network Security Restrict NTLM Audit NTLM authentication in this domain security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Network Security Restrict NTLM Audit NTLM authentication in this domain.
ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
View File

@ -1,6 +1,6 @@
---
title: Recovery console Allow automatic administrative logon (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the Recovery console Allow automatic administrative logon security policy setting.
description: Best practices, location, values, policy management and security considerations for the policy setting, Recovery console Allow automatic administrative logon.
ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
View File

@ -1,6 +1,6 @@
---
title: SMB v1 Microsoft network server Digitally sign communications (always) (Windows 10)
description: For SMB v1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (always) security policy setting.
description: Best practices, security considerations, and more for the security policy setting, Microsoft network server Digitally sign communications (always).
ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
View File

@ -1,6 +1,6 @@
---
title: SMBv1 Microsoft network server Digitally sign communications (if client agrees) (Windows 10)
description: For SMBv1 only, describes the best practices, location, values, policy management and security considerations for the Microsoft network server Digitally sign communications (if client agrees) security policy setting.
description: Best practices, security considerations and more for the security policy setting, Microsoft network server Digitally sign communications (if client agrees).
ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
View File

@ -1,6 +1,6 @@
---
title: User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode security policy setting.
description: Best practices and more for the security policy setting, User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode.
ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d
ms.reviewer:
ms.author: dansimp

2
windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
View File

@ -1,6 +1,6 @@
---
title: User Account Control Only elevate executables that are signed and validated (Windows 10)
description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Only elevate executables that are signed and validated security policy setting.
description: Best practices, security considerations, and more for the security policy setting, User Account Control Only elevate executables that are signed and validated.
ms.assetid: 64950a95-6985-4db6-9905-1db18557352d
ms.reviewer:
ms.author: dansimp

10
windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
View File

@ -1,6 +1,6 @@
---
title: Determine your application control objectives (Windows 10)
description: This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
description: Determine which applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b
ms.reviewer:
ms.author: dansimp
@ -77,7 +77,7 @@ Use the following table to develop your own objectives and determine which appli
<td align="left"><p>SRP can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>Dlls</p></li>
<li><p>DLLs</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
</ul>
@ -85,7 +85,7 @@ Use the following table to develop your own objectives and determine which appli
<td align="left"><p>AppLocker can control the following file types:</p>
<ul>
<li><p>Executables</p></li>
<li><p>Dlls</p></li>
<li><p>DLLs</p></li>
<li><p>Scripts</p></li>
<li><p>Windows Installers</p></li>
<li><p>Packaged apps and installers</p></li>
@ -98,7 +98,7 @@ Use the following table to develop your own objectives and determine which appli
<td align="left"><p>AppLocker does not support this. AppLocker currently supports the following file extensions:</p>
<ul>
<li><p>Executables (.exe, .com)</p></li>
<li><p>Dlls (.ocx, .dll)</p></li>
<li><p>DLLs (.ocx, .dll)</p></li>
<li><p>Scripts (.vbs, .js, .ps1, .cmd, .bat)</p></li>
<li><p>Windows Installers (.msi, .mst, .msp)</p></li>
<li><p>Packaged app installers (.appx)</p></li>
@ -123,7 +123,7 @@ Use the following table to develop your own objectives and determine which appli
<tr class="odd">
<td align="left"><p>Editing the hash value</p></td>
<td align="left"><p>SRP allows you to select a file to hash.</p></td>
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Support for different security levels</p></td>

4
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -1,6 +1,6 @@
---
title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10)
description: Learn how to gather information, create a plan, and begin to create and test initial code integrity policies for your Windows Defender Application Control deployment.
description: Learn how to gather information, create a plan, and begin to test initial code integrity policies for a Windows Defender Application Control deployment.
keywords: whitelisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
@ -46,7 +46,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications, where older versions of the application had vulnerabilities, also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md).

13
windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
View File

@ -32,9 +32,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e
## Security
### Applocker
### AppLocker
#### New Applocker features in Windows 10, version 1507
#### New AppLocker features in Windows 10, version 1507
- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
@ -50,7 +50,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e
It provides the following benefits:
- The algorithm is FIPS-compliant.
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
>**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
>[!NOTE]
>Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.
#### New Bitlocker features in Windows 10, version 1507
@ -225,7 +227,7 @@ Some things that you can check on the device are:
User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
@ -280,8 +282,7 @@ Enterprises have the following identity and management choices.
| Grouping | Domain join; Workgroup; Azure AD join |
| Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
>[!NOTE]  
>With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
**Note:** With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
### Device lockdown