deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix merge conflict

Browse Source
This commit is contained in:
Liz Long 2022-06-13 13:47:17 -04:00
commit 1abe4fe1b2
1034 changed files with 8245 additions and 7495 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.openpublishing.redirection.json
View File

@ -2577,12 +2577,12 @@
},
{
"source_path": "windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection",
"redirect_url": "/microsoft-365/security/defender-endpoint/manage-indicators",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/use-custom-ti",
"redirect_url": "/microsoft-365/security/defender-endpoint/manage-indicators",
"redirect_document_id": false
},
{
@ -13342,7 +13342,7 @@
},
{
"source_path": "windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection",
"redirect_url": "/microsoft-365/security/defender-endpoint/manage-indicators",
"redirect_document_id": false
},
{
@ -19549,6 +19549,11 @@
"source_path": "windows/client-management/mdm/proxy-csp.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/img-boot-sequence.md",
"redirect_url": "/windows/client-management/advanced-troubleshooting-boot-problems#boot-sequence",
"redirect_document_id": false
}
]
}

10
education/windows/change-to-pro-education.md
View File

@ -28,7 +28,7 @@ To take advantage of this offering, make sure you meet the [requirements for cha
## Requirements for changing
Before you change to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be running Windows 10 Pro, version 1607 or higher.
- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
- Devices must be Azure Active Directory-joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
@ -47,7 +47,7 @@ For schools that want to standardize all their Windows 10 Pro devices to Windows
In this scenario:
- The IT admin of the tenant chooses to turn on the change for all Azure AD joined devices.
- The IT admin of the tenant chooses to turn on the change for all Azure AD-joined devices.
- Any device that joins the Azure AD will change automatically to Windows 10 Pro Education.
- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
@ -92,7 +92,7 @@ You can use Windows Configuration Designer to create a provisioning package that
3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**.
## Education customers with Azure AD joined devices
## Education customers with Azure AD-joined devices
Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system changes to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
@ -145,7 +145,7 @@ Enabling the automatic change also triggers an email message notifying all globa
So what will users experience? How will they change their devices?
### For existing Azure AD joined devices
### For existing Azure AD-joined devices
Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed.
### For new devices that are not Azure AD joined
@ -251,7 +251,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined
dsregcmd /status
```
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
**To determine the version of Windows 10**

2
education/windows/set-up-school-pcs-azure-ad-join.md
View File

@ -59,7 +59,7 @@ The following table describes each setting within **Device Settings**.
| Setting | Description |
|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. |
| More local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. |
| More local administrators on Azure AD-joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. |
| Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. |
| Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. |
| Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added. |

4
education/windows/set-up-school-pcs-whats-new.md
View File

@ -34,7 +34,7 @@ You can now give devices running Windows 10, version 2004 and later a name that'
### Resumed support for Windows 10, version 1903 and later
The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
### Device rename made optional for Azure AD joined devices
### Device rename made optional for Azure AD-joined devices
When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names.
## Week of May 23, 2019
@ -42,7 +42,7 @@ When you set up your Azure AD join devices in the app, you no longer need to ren
### Suspended support for Windows 10, version 1903 and later
Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again.
### Mandatory device rename for Azure AD joined devices
### Mandatory device rename for Azure AD-joined devices
If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names.
## Week of April 15, 2019

2
education/windows/test-windows10s-for-edu.md
View File

@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
- Local administrator
- Microsoft Account (MSA) administrator
- Microsoft account administrator
- Azure Active Directory administrator
> [!WARNING]

4
education/windows/windows-11-se-overview.md
View File

@ -74,7 +74,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|NextUp Talker |1.0.49 |Win32 |NextUp Technologies|
|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
|Pearson TestNav |1.10.2.0 |Win32 |Pearson|
|Pearson TestNav |1.10.2.0 |Store |Pearson|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
|Remote Help |3.8.0.12 |Win32 |Microsoft|
@ -82,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud|
|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|
|ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific|

3
smb/breadcrumb/toc.yml
View File

@ -1,10 +1,11 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows
topicHref: https://docs.microsoft.com/windows/#pivot=it-pro
topicHref: /windows/resources/
items:
- name: SMB
tocHref: /windows/smb

7
store-for-business/manage-private-store-settings.md
View File

@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow
You can add a collection to your private store from the private store, or from the details page for an app.
**From private store**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click **Add a Collection**.</br>
![Image showing Add a Collection.](images/msfb-add-collection.png)
@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t
> New collections require at least one app, or they will not be created.
**From app details page**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.
@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click your private store.</br>
![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png)
![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png)
3. Click the ellipses next to the collection name, and click **Edit collection**.
4. Add or remove products from the collection, and then click **Done**.
You can also add an app to a collection from the app details page.
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Products & services**.
3. Under **Apps & software**, choose an app you want to include in a new collection.

2
store-for-business/working-with-line-of-business-apps.md
View File

@ -45,7 +45,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for Microsoft Store for Business admin, LOB publisher, and Developer.](images/lob-workflow.png)
## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.

2
windows/client-management/administrative-tools-in-windows-10.md
View File

@ -2,8 +2,6 @@
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby

3
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -2,10 +2,7 @@
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: aczechowski
ms.author: aaroncz
manager: dougeby

189
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -2,11 +2,11 @@
title: Advanced troubleshooting for Windows boot problems
description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals.
ms.prod: w10
ms.sitesec: library
author: aczechowski
ms.technology: windows
ms.localizationpriority: medium
ms.date: 06/02/2022
author: aczechowski
ms.author: aaroncz
ms.date: 11/16/2018
ms.reviewer:
manager: dougeby
ms.topic: troubleshooting
@ -15,16 +15,15 @@ ms.collection: highpri
# Advanced troubleshooting for Windows boot problems
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=boot" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues.</span>
> [!NOTE]
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5).
## Summary
There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck:
| Phase | Boot Process | BIOS | UEFI |
|-----------|----------------------|------------------------------------|-----------------------------------|
| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware |
@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during
| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi |
| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | |
**1. PreBoot**
1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
The PCs firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager.
2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
**2. Windows Boot Manager**
3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition.
4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
**3. Windows operating system loader**
Essential drivers required to start the Windows kernel are loaded and the kernel starts to run.
**4. Windows NT OS Kernel**
The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START.
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
[Click to enlarge](img-boot-sequence.md)<br>
The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START.
<a name="boot-sequence"></a>
Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger.
:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png":::
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr
>
> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
To determine whether the system has passed the BIOS phase, follow these steps:
@ -93,19 +81,18 @@ If the screen is black except for a blinking cursor, or if you receive one of th
- Bootmgr missing or corrupted
- Unable to boot due to system hive missing or corrupted
To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods.
To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods.
### Method 1: Startup Repair tool
The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically.
To do this task of invoking the Startup Repair tool, follow these steps.
To do this task of invoking the Startup Repair tool, follow these steps.
> [!NOTE]
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps.
The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location:
**%windir%\System32\LogFiles\Srt\Srttrail.txt**
For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s)
`%windir%\System32\LogFiles\Srt\Srttrail.txt`
For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad).
### Method 2: Repair Boot Codes
To repair boot codes, run the following command:
```console
```command
BOOTREC /FIXMBR
```
To repair the boot sector, run the following command:
```console
```command
BOOTREC /FIXBOOT
```
> [!NOTE]
> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem.
### Method 3: Fix BCD errors
@ -146,7 +131,7 @@ If you receive BCD-related errors, follow these steps:
1. Scan for all the systems that are installed. To do this step, run the following command:
```console
```command
Bootrec /ScanOS
```
@ -154,7 +139,7 @@ If you receive BCD-related errors, follow these steps:
3. If the problem isn't fixed, run the following commands:
```console
```command
bcdedit /export c:\bcdbackup
attrib c:\boot\bcd -r -s -h
@ -172,38 +157,38 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
2. Run the `attrib` command to unhide the file:
```console
```command
attrib -r -s -h
```
3. Navigate to the system drive and run the same command:
```console
```command
attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
4. Rename the `bootmgr` file as `bootmgr.old`:
```console
```command
ren c:\bootmgr bootmgr.old
```
5. Navigate to the system drive.
6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
6. Copy the `bootmgr` file, and then paste it to the System Reserved partition.
7. Restart the computer.
### Method 5: Restore System Hive
### Method 5: Restore system hive
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config.
If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`.
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
## Kernel Phase
@ -211,9 +196,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- A Stop error appears after the splash screen (Windows Logo screen).
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`.
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
@ -223,53 +206,45 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
To troubleshoot these problems, try the following recovery boot options one at a time.
**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration**
### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration
On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps:
1. Use one of the following methods to open Event Viewer:
- Click **Start**, point to **Administrative Tools**, and then click
**Event Viewer**.
- Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**.
- Start the Event Viewer snap-in in Microsoft Management Console (MMC).
2. In the console tree, expand Event Viewer, and then click the log that you
want to view. For example, click **System log** or **Application log**.
2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**.
3. In the details pane, double-click the event that you want to view.
3. In the details pane, open the event that you want to view.
4. On the **Edit** menu, click **Copy**, open a new document in the program in
which you want to paste the event (for example, Microsoft Word), and then
click **Paste**.
5. Use the Up Arrow or Down Arrow key to view the description of the previous
or next event.
4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**.
5. Use the up arrow or down arrow key to view the description of the previous or next event.
### Clean boot
To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig).
To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`).
Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party.
Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**.
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
#### Examples
> [!WARNING]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
@ -279,21 +254,19 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
2. Open the registry.
3. Load the system hive, and name it as "test."
3. Load the system hive, and name it **test**.
4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers:
4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class**
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class`
5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data.
5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data.
6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive.
6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive.
7. Restart the server in Normal mode.
For more troubleshooting steps, see the following articles:
- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md).
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending
2. Run the command:
```console
```command
DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
```console
```command
DISM /image:C:\ /remove-package /packagename: name of the package
```
```console
DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending
If the computer doesn't start, follow these steps:
1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad.
1. Open a command prompt window in WinRE, and start a text editor, such as Notepad.
2. Navigate to the system drive, and search for windows\winsxs\pending.xml.
2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`.
3. If the Pending.xml file is found, rename the file as Pending.xml.old.
3. If the pending.xml file is found, rename the file as `pending.xml.old`.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test.
4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test.
5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value.
5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value.
6. If the **pendingxmlidentifier** value exists, delete the value.
6. If the `pendingxmlidentifier` value exists, delete it.
7. Unload the test hive.
8. Load the system hive, name it as "test".
8. Load the system hive, name it **test**.
9. Navigate to the following subkey:
**HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller**
`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller`
10. Change the **Start** value from **1** to **4**
10. Change the **Start** value from `1` to `4`.
11. Unload the hive.
12. Try to start the computer.
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md).
- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md).
For more information about page file problems in Windows 10 or Windows Server 2016, see the following article:
- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md).
For more information about Stop errors, see the following Knowledge Base article:
- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines:
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does.
- If the driver isn't important and has no dependencies, load the system hive, and then disable the driver.
- If the stop error indicates system file corruption, run the system file checker in offline mode.
- To do this, open WinRE, open a command prompt, and then run the following command:
- To do this action, open WinRE, open a command prompt, and then run the following command:
```console
```command
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues).
- If there's disk corruption, run the check disk command:
```console
```command
chkdsk /f /r
```
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps:
1. Start WinRE, and open a Command Prompt window.
1. Start WinRE, and open a command prompt window.
2. Start a text editor, such as Notepad.
3. Navigate to C:\Windows\System32\Config\.
4. Rename the all five hives by appending ".old" to the name.
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
3. Navigate to `C:\Windows\System32\Config\`.
4. Rename the all five hives by appending `.old` to the name.
5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

3
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -3,10 +3,7 @@ title: Advanced Troubleshooting Wireless Network Connectivity
ms.reviewer:
manager: dougeby
description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine.
keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz

6
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -1,11 +1,7 @@
---
title: Connect to remote Azure Active Directory-joined PC (Windows)
description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
keywords: ["MDM", "device management", "RDP", "AADJ"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp
@ -66,7 +62,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.

3
windows/client-management/data-collection-for-802-authentication.md
View File

@ -3,10 +3,7 @@ title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.author: dansimp

1
windows/client-management/determine-appropriate-page-file-size.md
View File

@ -2,7 +2,6 @@
title: How to determine the appropriate page file size for 64-bit versions of Windows
description: Learn how to determine the appropriate page file size for 64-bit versions of Windows.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

1
windows/client-management/generate-kernel-or-complete-crash-dump.md
View File

@ -2,7 +2,6 @@
title: Generate a kernel or complete crash dump
description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

2
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -2,8 +2,6 @@
title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.date: 09/14/2021

17
windows/client-management/img-boot-sequence.md
View File

@ -1,17 +0,0 @@
---
title: Boot sequence flowchart
description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article.
ms.date: 11/16/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
author: dansimp
ms.topic: article
ms.prod: w10
---
# Boot sequence flowchart
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
![Full-sized boot sequence flowchart.](images/boot-sequence.png)

1
windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-adobe-flash-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-cortana-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-developer-tools-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/allow-extensions-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/allow-fullscreen-mode-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/allow-inprivate-browsing-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/allow-prelaunch-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/allow-printing-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/allow-saving-history-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-search-engine-customization-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

4
windows/client-management/includes/allow-tab-preloading-shortdesc.md
View File

@ -3,9 +3,9 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.
Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.

2
windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 11/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/always-show-books-library-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-additional-search-engines-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-autofill-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/configure-cookies-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-do-not-track-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-favorites-bar-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-favorites-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-home-button-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-kiosk-mode-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/configure-password-manager-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-pop-up-blocker-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/configure-start-pages-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/do-not-sync-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/microsoft-browser-extension-policy-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 04/23/2020
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

1
windows/client-management/includes/provision-favorites-shortdesc.md
View File

@ -3,7 +3,6 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro
manager: dansimp
ms.prod: edge
ms.topic: include

2
windows/client-management/includes/search-provider-discovery-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/set-default-search-engine-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/set-home-button-url-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

2
windows/client-management/includes/set-new-tab-url-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

3
windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md
View File

@ -3,8 +3,9 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---
Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.

2
windows/client-management/includes/unlock-home-button-shortdesc.md
View File

@ -3,7 +3,7 @@ author: dansimp
ms.author: dansimp
ms.date: 10/02/2018
ms.reviewer:
audience: itpro manager: dansimp
manager: dansimp
ms.prod: edge
ms.topic: include
---

1
windows/client-management/introduction-page-file.md
View File

@ -2,7 +2,6 @@
title: Introduction to the page file
description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting
author: Deland-Han
ms.localizationpriority: medium

4
windows/client-management/manage-corporate-devices.md
View File

@ -1,15 +1,11 @@
---
title: Manage corporate devices
description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones.
ms.assetid: 62D6710C-E59C-4077-9C7E-CE0A92DFC05D
ms.reviewer:
manager: dansimp
ms.author: dansimp
keywords: ["MDM", "device management"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 09/14/2021

2
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -2,8 +2,6 @@
title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage Device Installation Restrictions with Group Policy.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: aczechowski
ms.date: 09/14/2021
ms.reviewer:

2
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -2,8 +2,6 @@
title: Manage the Settings app with Group Policy (Windows 10 and Windows 11)
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.date: 09/14/2021
ms.reviewer:

98
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -1,36 +1,32 @@
---
title: Manage Windows 10 in your organization - transitioning to modern management
description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
keywords: ["MDM", "device management", "group policy", "Azure Active Directory"]
description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: devices
author: dansimp
ms.localizationpriority: medium
ms.date: 04/26/2018
ms.date: 06/03/2022
author: aczechowski
ms.author: aaroncz
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
manager: dougeby
ms.topic: overview
---
# Manage Windows 10 in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, its easy for versions to coexist.
Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
>The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
> [!NOTE]
> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
- [Deployment and Provisioning](#deployment-and-provisioning)
@ -44,41 +40,43 @@ This topic offers guidance on strategies for deploying and managing Windows 10,
Windows 10 offers a range of management options, as shown in the following diagram:
<img src="images/windows-10-management-range-of-options.png" alt="The path to modern IT" width="766" height="654" />
:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png":::
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
## Deployment and provisioning
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can:
With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can:
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction).
- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today.
You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and authentication
## Identity and Authentication
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain thats [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides:
- Single sign-on to cloud and on-premises resources from everywhere
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
- [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable)
- [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
@ -86,55 +84,53 @@ You can envision user and device management as falling into these two categories
- Windows Hello
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png":::
## Settings and Configuration
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. 
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorers 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows.
- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment.
## Updating and servicing
## Updating and Servicing
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple often automatic patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
## Next steps
There are various steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
**Take incremental steps.** Moving towards modern device management doesnt have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md).
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles:
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
- [Co-management for Windows devices](/mem/configmgr/comanage/overview)
- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10)
- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads)
- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor)
- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
## Related articles
- [What is Intune?](/mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md)
- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md)

3
windows/client-management/mandatory-user-profile.md
View File

@ -1,10 +1,7 @@
---
title: Create mandatory user profiles (Windows 10 and Windows 11)
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
keywords: [".man","ntuser"]
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.author: dansimp
ms.date: 09/14/2021

1
windows/client-management/mdm/activesync-csp.md
View File

@ -1,7 +1,6 @@
---
title: ActiveSync CSP
description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/activesync-ddf-file.md
View File

@ -1,7 +1,6 @@
---
title: ActiveSync DDF file
description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
View File

@ -1,7 +1,6 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -1,7 +1,6 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/alljoynmanagement-ddf.md
View File

@ -1,7 +1,6 @@
---
title: AllJoynManagement DDF
description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/application-csp.md
View File

@ -1,7 +1,6 @@
---
title: APPLICATION CSP
description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.reviewer:
manager: dansimp
ms.author: dansimp

3
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -1,7 +1,6 @@
---
title: ApplicationControl CSP
description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -26,7 +25,7 @@ The table below shows the applicability of Windows:
Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although, WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
The following example shows the ApplicationControl CSP in tree format.

1
windows/client-management/mdm/applocker-csp.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker CSP
description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F
ms.reviewer:
manager: dansimp
ms.author: dansimp

1
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker DDF file
description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp
ms.author: dansimp

2
windows/client-management/mdm/applocker-xsd.md
View File

@ -1,7 +1,6 @@
---
title: AppLocker XSD
description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -14,7 +13,6 @@ ms.date: 06/26/2017
# AppLocker XSD
Here's the XSD for the AppLocker CSP.
```xml

1
windows/client-management/mdm/assign-seats.md
View File

@ -1,7 +1,6 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Microsoft Store for Business.
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.reviewer:
manager: dansimp
ms.author: dansimp

3
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -1,7 +1,6 @@
---
title: AssignedAccess DDF
description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
ms.reviewer:
manager: dansimp
ms.author: dansimp

3
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -1,7 +1,6 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -359,7 +358,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD-joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**

Some files were not shown because too many files have changed in this diff Show More