mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 05:47:23 +00:00
Merge branch 'main' into patch-10
This commit is contained in:
commit
1fa1fc6d03
@ -2,40 +2,32 @@
|
||||
:allowed-branchname-matches ["main" "release-.*"]
|
||||
:allowed-filename-matches ["windows/"]
|
||||
|
||||
:targets
|
||||
:use-gh-statuses true
|
||||
|
||||
:targets
|
||||
{
|
||||
:counts {
|
||||
;;:correctness 13
|
||||
;;:total 15 ;; absolute flag count but i don't know the difference between this and issues
|
||||
;;:issues 15 ;; coming from the platform, will need to be tested.
|
||||
;;:total 15 ;;
|
||||
;;:issues 15 ;;
|
||||
;;:correctness 13 ;;
|
||||
}
|
||||
:scores {
|
||||
;;:terminology 100
|
||||
:qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place
|
||||
:qualityscore 80 ;;
|
||||
;;:correctness 40
|
||||
}
|
||||
}
|
||||
|
||||
:guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific"
|
||||
|
||||
:acrolinx-check-settings
|
||||
{
|
||||
"languageId" "en"
|
||||
"ruleSetName" "Standard"
|
||||
"requestedFlagTypes" ["CORRECTNESS" "SPELLING" "GRAMMAR" "STYLE"
|
||||
"TERMINOLOGY_DEPRECATED"
|
||||
"TERMINOLOGY_VALID"
|
||||
"VOICE_GUIDANCE"
|
||||
]
|
||||
"termSetNames" ["M365" "Products" "Microsoft"]
|
||||
}
|
||||
|
||||
:template-header
|
||||
|
||||
"
|
||||
|
||||
## Acrolinx Scorecards
|
||||
|
||||
**The minimum Acrolinx topic score of 80 is required for all MAGIC content merged to the default branch.**
|
||||
**The minimum Acrolinx topic score of 80 is required for all Magic content merged to the default branch.**
|
||||
|
||||
If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
|
||||
|
||||
@ -43,22 +35,26 @@ If you need a scoring exception for content in this PR, add the *Sign off* and t
|
||||
- Escalate the exception request to the Acrolinx Review Team for review.
|
||||
- Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch.
|
||||
|
||||
For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master).
|
||||
For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=main).
|
||||
|
||||
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
|
||||
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
|
||||
|
||||
| Article | Score | Issues | Correctness<br>score | Scorecard | Processed |
|
||||
| ------- | ----- | ------ | ------ | --------- | --------- |
|
||||
| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
|
||||
|---------|:--------------:|:--------------------:|:------:|:---------:|
|
||||
"
|
||||
|
||||
:template-change
|
||||
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/scores/correctness} | [link](${acrolinx/scorecard}) | ${s/status} |
|
||||
"| ${s/status} ${s/file} | [${acrolinx/qualityscore}](${acrolinx/scorecard}) | ${acrolinx/scores/words_and_phrases} | ${acrolinx/scores/correctness} | ${acrolinx/scores/clarity} |
|
||||
"
|
||||
|
||||
:template-footer
|
||||
"
|
||||
**More info about Acrolinx**
|
||||
**More information about Acrolinx**
|
||||
|
||||
- [Install Acrolinx locally for VSCode for Magic](https://review.docs.microsoft.com/office-authoring-guide/acrolinx-vscode?branch=main)
|
||||
- [False positives or issues](https://aka.ms/acrolinxbug)
|
||||
- [Request a new Acrolinx term](https://microsoft.sharepoint.com/teams/M365Dev2/SitePages/M365-terminology.aspx)
|
||||
- [Troubleshooting issues with Acrolinx](https://review.docs.microsoft.com/help/contribute/acrolinx-error-messages)
|
||||
|
||||
Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master).
|
||||
"
|
||||
}
|
||||
|
@ -1129,6 +1129,16 @@
|
||||
"source_path": "windows/deployment/windows-10-missing-fonts.md",
|
||||
"redirect_url": "/windows/deployment/windows-missing-fonts",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/deployment/volume-activation/volume-activation-windows-10.md",
|
||||
"redirect_url": "/windows/deployment/volume-activation/volume-activation-windows",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/deployment/volume-activation/activate-windows-10-clients-vamt.md",
|
||||
"redirect_url": "/windows/deployment/volume-activation/activate-windows-clients-vamt",
|
||||
"redirect_document_id": false
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -4,7 +4,7 @@ description: Learn how to add or remove Windows optional features using the Opti
|
||||
author: aczechowski
|
||||
ms.author: aaroncz
|
||||
manager: aaroncz
|
||||
ms.date: 03/13/2024
|
||||
ms.date: 03/28/2024
|
||||
ms.topic: how-to
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-apps
|
||||
@ -85,7 +85,7 @@ Once the **System > Optional features** pane is open, add a feature with the fol
|
||||
|
||||
1. Once all of the desired features are selected, select the **Next** button.
|
||||
|
||||
1. Review the selected list of features and then select the **Install** button to add the selected features.
|
||||
1. Review the selected list of features and then select the **Add** button to add the selected features.
|
||||
|
||||
::: zone-end
|
||||
|
||||
@ -99,7 +99,7 @@ Once the **Optional features** pane is open, add a feature with the following st
|
||||
|
||||
1. Find the desired feature to add and then select the box next to the feature to add it. Multiple features can be selected.
|
||||
|
||||
1. Once all of the desired features are selected, select the **Install** button.
|
||||
1. Once all of the desired features are selected, select the **Add** button.
|
||||
|
||||
::: zone-end
|
||||
|
||||
@ -115,7 +115,7 @@ Once the **System > Optional features** pane is open, remove a feature with the
|
||||
|
||||
1. Under **Installed features**, search for the feature that needs to be removed in the **Search installed features** search box, or scroll through the list of added features until the feature that needs to be removed is found.
|
||||
|
||||
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
|
||||
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button.
|
||||
|
||||
::: zone-end
|
||||
|
||||
@ -125,7 +125,7 @@ Once the **Optional features** pane is open, remove a feature with the following
|
||||
|
||||
1. Under **Installed features**, search for the feature that needs to be removed in the **Find an installed optional feature** search box, or scroll through the list of added features until the feature that needs to be removed is found.
|
||||
|
||||
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Uninstall** button.
|
||||
1. Once the feature that needs to be removed is found, select the feature to expand it, and then select the **Remove** button.
|
||||
|
||||
::: zone-end
|
||||
|
||||
|
@ -3,7 +3,7 @@ title: Manage Copilot in Windows
|
||||
description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
|
||||
ms.topic: conceptual
|
||||
ms.subservice: windows-copilot
|
||||
ms.date: 02/09/2024
|
||||
ms.date: 03/21/2024
|
||||
ms.author: mstewart
|
||||
author: mestew
|
||||
appliesto:
|
||||
@ -109,10 +109,12 @@ To verify that Copilot with commercial data protection is enabled for the user a
|
||||
1. To verify that commercial data protection is enabled for the user, select the user's **Display name** to open the flyout menu.
|
||||
1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
|
||||
1. Verify that **Copilot** is enabled for the user.
|
||||
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**.
|
||||
|
||||
> [!Note]
|
||||
> If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise) using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
|
||||
1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you'll find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes **Copilot**, and verify that it's listed as **On**. If you previously disabled Copilot with commercial data protection (formerly Bing Chat Enterprise), see [Manage Copilot](/copilot/manage) for verifying that commercial data protection is enabled for your users.
|
||||
1. Copilot with commercial data protection is used as the chat provider platform for users when the following conditions are met:
|
||||
- Users have an eligible license, commercial data protection in Copilot is enabled, and the [Copilot in Windows user experience is enabled](#enable-the-copilot-in-windows-user-experience-for-windows-11-version-22h2-clients).
|
||||
- Users are signed in with their Microsoft Entra ID (work accounts)
|
||||
- Users can sign into Windows with their Microsoft Entra ID
|
||||
- For Active Directory users on Windows 11, a Microsoft Entra ID in the Web Account Manager (WAM) authentication broker can be used. Entra IDs in Microsoft Edge profiles and Microsoft 365 Apps would both be in WAM. <!--8470699-->
|
||||
|
||||
The following sample PowerShell script connects to Microsoft Graph and lists which users that have Copilot with commercial data protection enabled and disabled:
|
||||
|
||||
|
@ -39,6 +39,10 @@ ms.date: 02/03/2023
|
||||
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) <sup>10</sup>
|
||||
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) <sup>10</sup>
|
||||
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) <sup>10</sup>
|
||||
- [Device/{TenantId}/Policies/EnableWindowsHelloProvisioningForSecurityKeys](passportforwork-csp.md#devicetenantidpoliciesenablewindowshelloprovisioningforsecuritykeys) <sup>12</sup>
|
||||
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md#allowinstallationofmatchingdeviceids) <sup>12</sup>
|
||||
- [DeviceInstallation/DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md#deviceinstall_removable_deny) <sup>12</sup>
|
||||
- [DeviceInstallation/EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md#enableinstallationpolicylayering) <sup>12</sup>
|
||||
- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword)
|
||||
- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword)
|
||||
- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired)
|
||||
@ -59,12 +63,18 @@ ms.date: 02/03/2023
|
||||
- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
|
||||
- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) <sup>12</sup>
|
||||
- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) <sup>12</sup>
|
||||
- [MixedReality/EnableStartMenuWristTap](./policy-csp-mixedreality.md#enablestartmenuwristtap)<sup>12</sup>
|
||||
- [MixedReality/EnableStartMenuSingleHandGesture](./policy-csp-mixedreality.md#enablestartmenusinglehandgesture) <sup>12</sup>
|
||||
- [MixedReality/EnableStartMenuVoiceCommand](./policy-csp-mixedreality.md#enablestartmenuvoicecommand) <sup>12</sup>
|
||||
- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) <sup>9</sup>
|
||||
- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
|
||||
- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) <sup>9</sup>
|
||||
- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) <sup>12</sup>
|
||||
- [MixedReality/PreferLogonAsOtherUser](./policy-csp-mixedreality.md#preferlogonasotheruser) <sup>12</sup>
|
||||
- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#skipcalibrationduringsetup) <sup>12</sup>
|
||||
- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) <sup>12</sup>
|
||||
- [MixedReality/RequireStartIconHold](./policy-csp-mixedreality.md#requirestarticonhold) <sup>12</sup>
|
||||
- [MixedReality/RequireStartIconVisible](./policy-csp-mixedreality.md#requirestarticonvisible) <sup>12</sup>
|
||||
- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) <sup>10</sup>
|
||||
- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) <sup>9</sup>
|
||||
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) <sup>9, 14</sup>
|
||||
@ -91,9 +101,9 @@ ms.date: 02/03/2023
|
||||
- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) <sup>8</sup>
|
||||
- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) <sup>8</sup>
|
||||
- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
|
||||
- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesslocation_forceallowtheseapps) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesslocation_forcedenytheseapps) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesslocation_userincontroloftheseapps) <sup>12</sup>
|
||||
- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
|
||||
- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) <sup>8</sup>
|
||||
- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) <sup>8</sup>
|
||||
@ -113,8 +123,8 @@ ms.date: 02/03/2023
|
||||
- [System/AllowLocation](policy-csp-system.md#allowlocation)
|
||||
- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
|
||||
- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
|
||||
- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) <sup>12</sup>
|
||||
- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) <sup>12</sup>
|
||||
- [System/ConfigureTelemetryOptInSettingsUx](policy-csp-system.md#configuretelemetryoptinsettingsux) <sup>12</sup>
|
||||
- [System/DisableDeviceDelete](policy-csp-system.md#disabledevicedelete) <sup>12</sup>
|
||||
- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) <sup>9</sup>
|
||||
- [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) <sup>9</sup>
|
||||
- [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) <sup>9</sup>
|
||||
@ -165,6 +175,3 @@ Footnotes:
|
||||
[Policy CSP](policy-configuration-service-provider.md)
|
||||
|
||||
[Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support)
|
||||
|
||||
|
||||
|
||||
|
@ -389,6 +389,13 @@ This policy controls the configuration under which winlogon sends MPR notificati
|
||||
|
||||
<!-- EnableMPRNotifications-Editable-Begin -->
|
||||
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|
||||
> [!NOTE]
|
||||
> Starting in Windows Insiders build 25216, the behavior of EnableMPRNotifications policy was changed, and the Group Policy was updated with the following text:
|
||||
>
|
||||
> - **Friendly name**: Configure the transmission of the user's password in the content of MPR notifications sent by winlogon
|
||||
> - **Description**: This policy controls whether the user's password is included in the content of MPR notifications sent by winlogon in the system.
|
||||
> - If you disable this setting or do not configure it, winlogon sends MPR notifications with empty password fields of the user's authentication info.
|
||||
> - If you enable this setting, winlogon sends MPR notifications containing the user's password in the authentication info.
|
||||
<!-- EnableMPRNotifications-Editable-End -->
|
||||
|
||||
<!-- EnableMPRNotifications-DFProperties-Begin -->
|
||||
|
@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
|
||||
|
||||
The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type.
|
||||
|
||||
> **Note** The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
|
||||
> **Note** The UnifiedWriteFilter CSP is only supported in Windows 10/11 Enterprise and Windows 10/11 Education.
|
||||
|
||||
The following example shows the UWF configuration service provider in tree format.
|
||||
```
|
||||
|
@ -17,14 +17,10 @@
|
||||
href: update/waas-servicing-strategy-windows-10-updates.md
|
||||
- name: Deployment proof of concept
|
||||
items:
|
||||
- name: Deploy Windows 10 with MDT and Configuration Manager
|
||||
items:
|
||||
- name: 'Step by step guide: Configure a test lab to deploy Windows 10'
|
||||
href: windows-10-poc.md
|
||||
- name: Deploy Windows 10 in a test lab using MDT
|
||||
href: windows-10-poc-mdt.md
|
||||
- name: Deploy Windows 10 in a test lab using Configuration Manager
|
||||
href: windows-10-poc-sc-config-mgr.md
|
||||
- name: 'Step by step guide: Configure a test lab to deploy Windows 10'
|
||||
href: windows-10-poc.md
|
||||
- name: Deploy Windows 10 in a test lab using Configuration Manager
|
||||
href: windows-10-poc-sc-config-mgr.md
|
||||
- name: Deployment process posters
|
||||
href: windows-10-deployment-posters.md
|
||||
|
||||
@ -79,12 +75,8 @@
|
||||
href: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- name: Configure BranchCache for Windows client updates
|
||||
href: update/waas-branchcache.md
|
||||
- name: Prepare your deployment tools
|
||||
items:
|
||||
- name: Prepare for deployment with MDT
|
||||
href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
|
||||
- name: Prepare for deployment with Configuration Manager
|
||||
href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
|
||||
- name: Prepare for deployment with Configuration Manager
|
||||
href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
|
||||
- name: Build a successful servicing strategy
|
||||
items:
|
||||
- name: Check release health
|
||||
@ -112,16 +104,6 @@
|
||||
href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
|
||||
- name: In-place upgrade
|
||||
href: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
|
||||
- name: Deploy Windows client with MDT
|
||||
items:
|
||||
- name: Deploy to a new device
|
||||
href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
|
||||
- name: Refresh a device
|
||||
href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
|
||||
- name: Replace a device
|
||||
href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
|
||||
- name: In-place upgrade
|
||||
href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
|
||||
- name: Deploy Windows client updates
|
||||
items:
|
||||
- name: Assign devices to servicing channels
|
||||
@ -185,15 +167,15 @@
|
||||
- name: Volume Activation
|
||||
items:
|
||||
- name: Overview
|
||||
href: volume-activation/volume-activation-windows-10.md
|
||||
href: volume-activation/volume-activation-windows.md
|
||||
- name: Plan for volume activation
|
||||
href: volume-activation/plan-for-volume-activation-client.md
|
||||
- name: Activate using Key Management Service
|
||||
href: volume-activation/activate-using-key-management-service-vamt.md
|
||||
- name: Activate using Active Directory-based activation
|
||||
href: volume-activation/activate-using-active-directory-based-activation-client.md
|
||||
- name: Activate clients running Windows 10
|
||||
href: volume-activation/activate-windows-10-clients-vamt.md
|
||||
- name: Activate clients running Windows
|
||||
href: volume-activation/activate-windows-clients-vamt.md
|
||||
- name: Monitor activation
|
||||
href: volume-activation/monitor-activation-client.md
|
||||
- name: Use the Volume Activation Management Tool
|
||||
|
@ -17,7 +17,7 @@ ms.date: 10/27/2022
|
||||
|
||||
- Windows 10
|
||||
|
||||
This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
|
||||
This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation.
|
||||
|
||||
A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
|
||||
|
||||
|
@ -19,7 +19,7 @@ ms.date: 10/27/2022
|
||||
|
||||
In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
|
||||
|
||||
In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
|
||||
In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006.
|
||||
|
||||
## Infrastructure
|
||||
|
||||
@ -221,11 +221,11 @@ Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager
|
||||
|
||||
## Related articles
|
||||
|
||||
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
|
||||
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
|
||||
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
|
||||
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
|
||||
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
|
||||
[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
|
||||
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
|
||||
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
|
||||
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
|
||||
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
|
||||
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
|
||||
- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
|
||||
- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
|
||||
- [Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
|
||||
- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
|
||||
- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
|
||||
|
@ -20,7 +20,7 @@ ms.date: 05/09/2023
|
||||
|
||||
> [!IMPORTANT]
|
||||
> - Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
|
||||
> - We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
> - As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
|
||||
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
|
||||
|
||||
|
@ -32,14 +32,13 @@ To deploy MCC to your server:
|
||||
1. [Verify MCC functionality](#verify-mcc-server-functionality)
|
||||
1. [Review common Issues](#common-issues) if needed.
|
||||
|
||||
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
|
||||
|
||||
### Provide Microsoft with the Azure subscription ID
|
||||
|
||||
As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
|
||||
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
|
||||
For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
|
||||
|
||||
|
@ -19,16 +19,16 @@ ms.date: 11/07/2023
|
||||
# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
|
||||
|
||||
> [!NOTE]
|
||||
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
|
||||
## Enterprise requirements for MCC
|
||||
|
||||
1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
|
||||
|
||||
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
|
||||
Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription costs you nothing. If you don't have an Azure subscription already, you can create an Azure [pay-as-you-go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
|
||||
|
||||
The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
|
||||
1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
|
||||
1. **Hardware to host MCC**: The recommended configuration serves approximately 35,000 managed devices, downloading a 2-GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
|
||||
|
||||
> [!NOTE]
|
||||
> Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
|
||||
@ -36,7 +36,7 @@ ms.date: 11/07/2023
|
||||
**EFLOW requires Hyper-V support**
|
||||
- On Windows client, enable the Hyper-V feature.
|
||||
- On Windows Server, install the Hyper-V role and create a default network switch.
|
||||
- For additional requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
|
||||
- For more requirements, see [EFLOW requirements](/azure/iot-edge/iot-edge-for-linux-on-windows#prerequisites).
|
||||
|
||||
Disk recommendations:
|
||||
- Using an SSD is recommended as cache read speed of SSD is superior to HDD
|
||||
@ -44,7 +44,7 @@ ms.date: 11/07/2023
|
||||
NIC requirements:
|
||||
- Multiple NICs on a single MCC instance aren't supported.
|
||||
- 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
|
||||
- For best performance, NIC and BIOS should support SR-IOV
|
||||
- For best performance, NIC and BIOS should support SR-IOV.
|
||||
|
||||
VM networking:
|
||||
- An external virtual switch to support outbound and inbound network communication (created during the installation process)
|
||||
|
@ -15,7 +15,7 @@ metadata:
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
ms.date: 04/27/2023
|
||||
ms.date: 03/21/2024
|
||||
title: Microsoft Connected Cache Frequently Asked Questions
|
||||
summary: |
|
||||
Frequently asked questions about Microsoft Connected Cache
|
||||
@ -27,6 +27,8 @@ sections:
|
||||
answer: Yes. Microsoft Connected Cache is a free service.
|
||||
- question: What will Microsoft Connected Cache do for me? How will it impact our customers?
|
||||
answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.
|
||||
- question: I already peer with Microsoft(8075). What benefit will I receive by adding Microsoft Connected Cache to my network?
|
||||
answer: MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
|
||||
- question: Is there a non-disclosure agreement to sign?
|
||||
answer: No, a non-disclosure agreement isn't required.
|
||||
- question: What are the prerequisites and hardware requirements?
|
||||
@ -40,8 +42,15 @@ sections:
|
||||
|
||||
The following are recommended hardware configurations:
|
||||
|
||||
<!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
|
||||
[!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
|
||||
| Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation|
|
||||
| -------- | -------- | -------- | -------- |
|
||||
| Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| VM </br> Up to 8 cores</br></br>Up to 16-GB memory</br></br>1 500 GB SSD|
|
||||
| Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| VM or hardware</br></br>16 cores*</br></br>32-GB memory</br></br>2 - 3 500-GB SSDs each|
|
||||
|Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| Hardware, see sample spec below:</br></br>32 or more cores*</br></br>64 or more GB memory</br></br>4 - 6 500 - 1-TB SSDs** each |
|
||||
|
||||
*Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher.
|
||||
|
||||
**Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher).
|
||||
|
||||
We have one customer who is able to achieve mid-30s Gbps egress rate using the following hardware specification:
|
||||
- Dell PowerEdge R330
|
||||
@ -49,20 +58,20 @@ sections:
|
||||
- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
|
||||
- 4 - Transcend SSD230s 1 TB SATA Drives
|
||||
Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
|
||||
- question: Will I need to provide hardware BareMetal server or VM?
|
||||
answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software.
|
||||
- question: Do I need to provide hardware BareMetal server or VM?
|
||||
answer: Microsoft Connected Cache is a software-only caching solution and requires you to provide your own server to host the software.
|
||||
- question: Can we use hard drives instead of SSDs?
|
||||
answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.
|
||||
- question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
|
||||
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
|
||||
- question: Do I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
|
||||
answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Caches, you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.
|
||||
- question: Should I add any load balancing mechanism?
|
||||
answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
|
||||
- question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries or regions?
|
||||
answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
|
||||
answer: You don't need to add any load balancing. Our service takes care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.
|
||||
- question: How many Microsoft Connected Cache instances do I need? How do we set up if we support multiple countries or regions?
|
||||
answer: As stated in the recommended hardware table, the recommended configuration achieves near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that helps you estimate the number of cache nodes needed. If your ISP spans multiple countries or regions, you can set up separate cache nodes per country or region.
|
||||
- question: Where should we install Microsoft Connected Cache?
|
||||
answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
|
||||
- question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
|
||||
answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
|
||||
answer: Once a request for said content is made, NGINX looks at the cache control headers from the original acquisition. If that content is expired, NGINX continues to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
|
||||
- question: What content is cached by Microsoft Connected Cache?
|
||||
answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md).
|
||||
- question: Does Microsoft Connected Cache support Xbox or Teams content?
|
||||
@ -73,9 +82,9 @@ sections:
|
||||
answer: We have already successfully onboarded ISPs in many countries and regions around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
|
||||
- question: How does Microsoft Connected Cache populate its content?
|
||||
answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
|
||||
- question: What CDNs will Microsoft Connected Cache pull content from?
|
||||
- question: What CDNs does Microsoft Connected Cache pull content from?
|
||||
answer: |
|
||||
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
|
||||
Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
|
||||
|
||||
$ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA"
|
||||
|
||||
@ -84,13 +93,13 @@ sections:
|
||||
$ whois 13.107.4.50|grep "Organization:"
|
||||
|
||||
Organization: Microsoft Corporation (MSFT)
|
||||
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic?
|
||||
- question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how does it affect my traffic?
|
||||
answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic.
|
||||
- question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do?
|
||||
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com".
|
||||
answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender `microsoft-noreply@microsoft.com`.
|
||||
- question: I noticed I can set up BGP for routing. How does BGP routing work for Microsoft Connected Cache?
|
||||
answer: BGP routing can be set up as an automatic method of routing traffic. To learn more about how BGP is used with Microsoft Connected Cache, see [BGP Routing](mcc-isp-create-provision-deploy.md#bgp-routing).
|
||||
- question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned?
|
||||
answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
|
||||
answer: Even when the quota of 8k messages is hit, the MCC functionality isn't affected. Your client devices continue to download content as normal. You also won't be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the early preview and isn't an issue during public preview.
|
||||
- question: What do I do if I need more support and have more questions even after reading this FAQ page?
|
||||
answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
|
||||
|
@ -13,7 +13,7 @@ appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for ISPs</a>
|
||||
ms.date: 07/27/2023
|
||||
ms.date: 03/21/2024
|
||||
---
|
||||
|
||||
# Microsoft Connected Cache for ISPs overview
|
||||
@ -37,10 +37,15 @@ Microsoft Connected Cache uses Delivery Optimization as the backbone for Microso
|
||||
- Endpoint protection: Windows Defender definition updates
|
||||
- Xbox: Xbox Game Pass (PC only)
|
||||
|
||||
Do you peer with [Microsoft (ASN 8075)](/azure/internet-peering/)? Microsoft Connected Cache complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, and Edgecast. Microsoft Peering mainly caches dynamic content - by onboarding to Microsoft Connected Cache, you'll cache static content that otherwise would be served from the CDN.
|
||||
|
||||
For the full list of content endpoints that Microsoft Connected Cache for ISPs supports, see [Microsoft Connected Cache content and services endpoints](delivery-optimization-endpoints.md).
|
||||
|
||||
### Are you already peering with 8075?
|
||||
|
||||
MCC complements peering by offloading static content that is served off of multiple CDNs such as Akamai, Lumen, Edgecast. Static content such as OS updates, Apps, Software installs etc. can't be served via 8075. So, even if you're peering with Microsoft, you can benefit from installing MCC.
|
||||
|
||||
:::image type="content" source="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png" alt-text="Chart containing Peering vs Cache Content Traffic." lightbox="./media/mcc-isp-overview/mcc-isp-peeringvsmcc.png":::
|
||||
|
||||
|
||||
## How MCC works
|
||||
|
||||
:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
|
||||
@ -71,3 +76,18 @@ The following steps describe how MCC is provisioned and used:
|
||||
1. Subsequent requests from end-user devices for content will be served from cache.
|
||||
|
||||
1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
|
||||
|
||||
### Hardware recommendation
|
||||
|
||||
The following are recommended hardware configurations based on traffic ranges:
|
||||
|
||||
| Microsoft Connected Cache Machine Class | Scenario |Traffic Range| VM/Hardware Recommendation|
|
||||
| -------- | -------- | -------- | -------- |
|
||||
| Edge | For smaller ISPs or remote sites part of a larger network. |< 5 Gbps Peak| **VM** </br> </br>Up to 8 cores</br></br>Up to 16-GB memory</br></br>1 500 GB SSD|
|
||||
| Metro POP | For ISPs, IXs, or Transit Providers serving a moderate amount of traffic in a network that might require one of more cache nodes. |5 to 20 Gbps Peak| **VM or hardware**</br></br>16 cores*</br></br>32-GB memory</br></br>2 - 3 500-GB SSDs each|
|
||||
|Data Center|For ISPs, IXs, or Transit Providers serving a large amount traffic daily and might require deployment of multiple cache nodes.|20 to 40 Gbps Peak| **Hardware**, see sample spec below:</br></br> 32 or more cores*</br></br>64 or more GB memory</br></br>4 - 6 500 - 1-TB SSDs** each |
|
||||
|
||||
*Requires systems (chipset, CPU, motherboard) with PCIe version 3, or higher.
|
||||
|
||||
**Drive speeds are important and to achieve higher egress, we recommend SSD NVMe in m.2 PCIe slot (version 4, or higher).
|
||||
|
||||
|
Binary file not shown.
After Width: | Height: | Size: 122 KiB |
@ -38,7 +38,7 @@ Microsoft Connected Cache (MCC) for Internet Service Providers is currently in p
|
||||
## Microsoft Connected Cache for Enterprise and Education (early preview)
|
||||
|
||||
> [!NOTE]
|
||||
> We're still accepting Enterprise and Education customers to join the early preview. To register your interest, fill out the survey located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
> As we near the release of public preview, we have paused onboarding. Please continue to submit the form to express interest so we can follow up with you once public preview of Microsoft Connected Cache for Enteprise and Education is available. To register your interest, fill out the form located at [https://aka.ms/MSConnectedCacheSignup](https://aka.ms/MSConnectedCacheSignup).
|
||||
|
||||
Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. Learn more at [Microsoft Connected Cache for Enterprise and Education Overview](mcc-ent-edu-overview.md).
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
### YamlMime:Hub
|
||||
### YamlMime:Landing
|
||||
|
||||
title: Deploy and update Windows # < 60 chars; shows at top of hub page
|
||||
summary: Learn about deploying and updating Windows client devices in your organization. # < 160 chars
|
||||
@ -6,7 +6,7 @@ summary: Learn about deploying and updating Windows client devices in your organ
|
||||
metadata:
|
||||
title: Windows client deployment documentation # Required; browser tab title displayed in search results. Include the brand. < 60 chars.
|
||||
description: Learn about deploying and updating Windows client devices in your organization. # Required; article description that is displayed in search results. < 160 chars.
|
||||
ms.topic: hub-page
|
||||
ms.topic: landing-page
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-deploy
|
||||
ms.collection:
|
||||
@ -15,166 +15,168 @@ metadata:
|
||||
author: aczechowski
|
||||
ms.author: aaroncz
|
||||
manager: aaroncz
|
||||
ms.date: 01/18/2024
|
||||
ms.date: 04/01/2024
|
||||
localization_priority: medium
|
||||
|
||||
# common graphics: https://review.learn.microsoft.com/content-production-service/internal/image-gallery?branch=main
|
||||
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
|
||||
|
||||
productDirectory:
|
||||
title: Get started
|
||||
items:
|
||||
- title: Plan
|
||||
imageSrc: /media/common/i_overview.svg
|
||||
links:
|
||||
- text: Plan for Windows 11
|
||||
url: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Create a deployment plan
|
||||
url: update/create-deployment-plan.md
|
||||
- text: Define readiness criteria
|
||||
url: update/plan-define-readiness.md
|
||||
- text: Define your servicing strategy
|
||||
url: update/plan-define-strategy.md
|
||||
- text: Determine application readiness
|
||||
url: update/plan-determine-app-readiness.md
|
||||
- text: Plan for volume activation
|
||||
url: volume-activation/plan-for-volume-activation-client.md
|
||||
landingContent:
|
||||
|
||||
- title: Prepare
|
||||
imageSrc: /media/common/i_tasks.svg
|
||||
links:
|
||||
- text: Prepare for Windows 11
|
||||
url: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Prepare to deploy Windows updates
|
||||
url: update/prepare-deploy-windows.md
|
||||
- text: Prepare updates using Windows Update for Business
|
||||
url: update/waas-manage-updates-wufb.md
|
||||
- text: Evaluate and update infrastructure
|
||||
url: update/update-policies.md
|
||||
- text: Set up Delivery Optimization for Windows client updates
|
||||
url: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Prepare for imaging with Configuration Manager
|
||||
url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
|
||||
- title: Plan
|
||||
linkLists:
|
||||
- linkListType: concept
|
||||
links:
|
||||
- text: Plan for Windows 11
|
||||
url: /windows/whats-new/windows-11-plan?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Create a deployment plan
|
||||
url: update/create-deployment-plan.md
|
||||
- text: Define readiness criteria
|
||||
url: update/plan-define-readiness.md
|
||||
- text: Define your servicing strategy
|
||||
url: update/plan-define-strategy.md
|
||||
- text: Determine application readiness
|
||||
url: update/plan-determine-app-readiness.md
|
||||
- text: Plan for volume activation
|
||||
url: volume-activation/plan-for-volume-activation-client.md
|
||||
|
||||
- title: Deploy
|
||||
imageSrc: /media/common/i_deploy.svg
|
||||
links:
|
||||
- text: Deploy Windows with Autopilot
|
||||
url: /mem/autopilot/tutorial/autopilot-scenarios
|
||||
- text: Assign devices to servicing channels
|
||||
url: update/waas-servicing-channels-windows-10-updates.md
|
||||
- text: Deploy updates with Intune
|
||||
url: update/deploy-updates-intune.md
|
||||
- text: Deploy Windows updates with Configuration Manager
|
||||
url: update/deploy-updates-configmgr.md
|
||||
- text: Upgrade Windows using Configuration Manager
|
||||
url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
|
||||
- text: Check release health
|
||||
url: update/check-release-health.md
|
||||
- title: Prepare
|
||||
linkLists:
|
||||
- linkListType: get-started
|
||||
links:
|
||||
- text: Prepare for Windows 11
|
||||
url: /windows/whats-new/windows-11-prepare?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Prepare to deploy Windows updates
|
||||
url: update/prepare-deploy-windows.md
|
||||
- text: Prepare updates using Windows Update for Business
|
||||
url: update/waas-manage-updates-wufb.md
|
||||
- text: Evaluate and update infrastructure
|
||||
url: update/update-policies.md
|
||||
- text: Set up Delivery Optimization for Windows client updates
|
||||
url: do/waas-delivery-optimization-setup.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
|
||||
- text: Prepare for imaging with Configuration Manager
|
||||
url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
|
||||
|
||||
additionalContent:
|
||||
sections:
|
||||
- title: Solutions
|
||||
items:
|
||||
- title: Deploy
|
||||
linkLists:
|
||||
- linkListType: deploy
|
||||
links:
|
||||
- text: Deploy Windows with Autopilot
|
||||
url: /mem/autopilot/tutorial/autopilot-scenarios
|
||||
- text: Assign devices to servicing channels
|
||||
url: update/waas-servicing-channels-windows-10-updates.md
|
||||
- text: Deploy updates with Intune
|
||||
url: update/deploy-updates-intune.md
|
||||
- text: Deploy Windows updates with Configuration Manager
|
||||
url: update/deploy-updates-configmgr.md
|
||||
- text: Upgrade Windows using Configuration Manager
|
||||
url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
|
||||
- text: Check release health
|
||||
url: update/check-release-health.md
|
||||
|
||||
- title: Windows Autopilot
|
||||
links:
|
||||
- text: Overview
|
||||
url: /mem/autopilot/windows-autopilot
|
||||
- text: Scenarios
|
||||
url: /mem/autopilot/tutorial/autopilot-scenarios
|
||||
- text: Device registration
|
||||
url: /mem/autopilot/registration-overview
|
||||
- text: Learn more about Windows Autopilot >
|
||||
url: /mem/autopilot
|
||||
- title: Windows Autopilot
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Overview
|
||||
url: /mem/autopilot/windows-autopilot
|
||||
- text: Scenarios
|
||||
url: /mem/autopilot/tutorial/autopilot-scenarios
|
||||
- text: Device registration
|
||||
url: /mem/autopilot/registration-overview
|
||||
- text: Learn more about Windows Autopilot >
|
||||
url: /mem/autopilot
|
||||
|
||||
- title: Windows Autopatch
|
||||
links:
|
||||
- text: What is Windows Autopatch?
|
||||
url: windows-autopatch/overview/windows-autopatch-overview.md
|
||||
- text: Frequently asked questions (FAQ)
|
||||
url: windows-autopatch/overview/windows-autopatch-faq.yml
|
||||
- text: Prerequisites
|
||||
url: windows-autopatch/prepare/windows-autopatch-prerequisites.md
|
||||
- text: Learn more about Windows Autopatch >
|
||||
url: windows-autopatch/index.yml
|
||||
- title: Windows Autopatch
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: What is Windows Autopatch?
|
||||
url: windows-autopatch/overview/windows-autopatch-overview.md
|
||||
- text: Frequently asked questions (FAQ)
|
||||
url: windows-autopatch/overview/windows-autopatch-faq.yml
|
||||
- text: Prerequisites
|
||||
url: windows-autopatch/prepare/windows-autopatch-prerequisites.md
|
||||
- text: Learn more about Windows Autopatch >
|
||||
url: windows-autopatch/index.yml
|
||||
|
||||
- title: Windows Update for Business
|
||||
links:
|
||||
- text: What is Windows Update for Business?
|
||||
url: update/waas-manage-updates-wufb.md
|
||||
- text: Windows Update for Business deployment service
|
||||
url: update/deployment-service-overview.md
|
||||
- text: Manage Windows Update settings
|
||||
url: update/waas-wu-settings.md
|
||||
- text: Windows Update for Business reports overview
|
||||
url: update/wufb-reports-overview.md
|
||||
- title: Windows Update for Business
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: What is Windows Update for Business?
|
||||
url: update/waas-manage-updates-wufb.md
|
||||
- text: Windows Update for Business deployment service
|
||||
url: update/deployment-service-overview.md
|
||||
- text: Manage Windows Update settings
|
||||
url: update/waas-wu-settings.md
|
||||
- text: Windows Update for Business reports overview
|
||||
url: update/wufb-reports-overview.md
|
||||
|
||||
- title: Optimize and cache content
|
||||
links:
|
||||
- text: What is Delivery Optimization?
|
||||
url: do/waas-delivery-optimization.md
|
||||
- text: What is Microsoft Connected Cache?
|
||||
url: do/waas-microsoft-connected-cache.md
|
||||
- text: Frequently asked questions
|
||||
url: do/waas-delivery-optimization-faq.yml
|
||||
- text: Learn more about Delivery Optimization >
|
||||
url: do/index.yml
|
||||
- title: Optimize and cache content
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: What is Delivery Optimization?
|
||||
url: do/waas-delivery-optimization.md
|
||||
- text: What is Microsoft Connected Cache?
|
||||
url: do/waas-microsoft-connected-cache.md
|
||||
- text: Frequently asked questions
|
||||
url: do/waas-delivery-optimization-faq.yml
|
||||
- text: Learn more about Delivery Optimization >
|
||||
url: do/index.yml
|
||||
|
||||
- title: In-place upgrade and imaging
|
||||
links:
|
||||
- text: Upgrade Windows using Configuration Manager
|
||||
url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
|
||||
- text: Deploy a Windows image using Configuration Manager
|
||||
url: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
|
||||
- text: Convert a disk from MBR to GPT
|
||||
url: mbr-to-gpt.md
|
||||
- text: Resolve Windows upgrade errors
|
||||
url: upgrade/resolve-windows-upgrade-errors.md
|
||||
- title: In-place upgrade and imaging
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Upgrade Windows using Configuration Manager
|
||||
url: deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
|
||||
- text: Deploy a Windows image using Configuration Manager
|
||||
url: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
|
||||
- text: Convert a disk from MBR to GPT
|
||||
url: mbr-to-gpt.md
|
||||
- text: Resolve Windows upgrade errors
|
||||
url: upgrade/resolve-windows-upgrade-errors.md
|
||||
|
||||
- title: Licensing and activation
|
||||
links:
|
||||
- text: Plan for volume activation
|
||||
url: volume-activation/plan-for-volume-activation-client.md
|
||||
- text: Subscription activation
|
||||
url: windows-10-subscription-activation.md
|
||||
- text: Volume activation management tool (VAMT)
|
||||
url: volume-activation/introduction-vamt.md
|
||||
- text: Activate using key management service (KMS)
|
||||
url: volume-activation/activate-using-key-management-service-vamt.md
|
||||
- text: Windows commercial licensing overview
|
||||
url: /windows/whats-new/windows-licensing
|
||||
- title: Licensing and activation
|
||||
linkLists:
|
||||
- linkListType: how-to-guide
|
||||
links:
|
||||
- text: Plan for volume activation
|
||||
url: volume-activation/plan-for-volume-activation-client.md
|
||||
- text: Subscription activation
|
||||
url: windows-10-subscription-activation.md
|
||||
- text: Volume activation management tool (VAMT)
|
||||
url: volume-activation/introduction-vamt.md
|
||||
- text: Activate using key management service (KMS)
|
||||
url: volume-activation/activate-using-key-management-service-vamt.md
|
||||
- text: Windows commercial licensing overview
|
||||
url: /windows/whats-new/windows-licensing
|
||||
|
||||
- title: More resources
|
||||
items:
|
||||
|
||||
- title: Release and lifecycle
|
||||
links:
|
||||
- text: Windows release health dashboard
|
||||
url: /windows/release-health
|
||||
- text: Windows client features lifecycle
|
||||
url: /windows/whats-new/feature-lifecycle
|
||||
- text: Lifecycle FAQ - Windows
|
||||
url: /lifecycle/faq/windows
|
||||
|
||||
- title: Windows hardware
|
||||
links:
|
||||
- text: Download and install the Windows ADK
|
||||
url: /windows-hardware/get-started/adk-install
|
||||
- text: Deployment tools
|
||||
url: /windows-hardware/manufacture/desktop/boot-and-install-windows
|
||||
# - text:
|
||||
# url:
|
||||
# - text:
|
||||
# url:
|
||||
|
||||
- title: Community
|
||||
links:
|
||||
- text: Windows IT pro blog
|
||||
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
|
||||
- text: Windows office hours
|
||||
url: https://aka.ms/windows/officehours
|
||||
# - text:
|
||||
# url:
|
||||
# - text:
|
||||
# url:
|
||||
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
|
||||
|
||||
- title: More resources
|
||||
linkLists:
|
||||
- linkListType: reference
|
||||
# Release and lifecycle
|
||||
links:
|
||||
- text: Windows release health dashboard
|
||||
url: /windows/release-health
|
||||
- text: Windows client features lifecycle
|
||||
url: /windows/whats-new/feature-lifecycle
|
||||
- text: Lifecycle FAQ - Windows
|
||||
url: /lifecycle/faq/windows
|
||||
- linkListType: download
|
||||
# Windows hardware
|
||||
links:
|
||||
- text: Download and install the Windows ADK
|
||||
url: /windows-hardware/get-started/adk-install
|
||||
- text: Deployment tools
|
||||
url: /windows-hardware/manufacture/desktop/boot-and-install-windows
|
||||
- linkListType: whats-new
|
||||
# Community
|
||||
links:
|
||||
- text: Windows IT pro blog
|
||||
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog
|
||||
- text: Windows office hours
|
||||
url: https://aka.ms/windows/officehours
|
||||
|
@ -82,7 +82,7 @@ sections:
|
||||
- question: |
|
||||
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
|
||||
answer: |
|
||||
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
|
||||
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
|
||||
|
||||
- question: |
|
||||
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Activate using Active Directory-based activation
|
||||
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
|
||||
description: Learn how active directory-based activation is implemented as a role service that relies on Active Directory Domain Services (ADDS) to store activation objects.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
author: frankroj
|
||||
@ -8,135 +8,140 @@ ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: how-to
|
||||
ms.collection:
|
||||
- highpri
|
||||
- tier2
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
- ✅ Microsoft Office
|
||||
---
|
||||
|
||||
# Activate using Active Directory-based activation
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows
|
||||
- Windows Server
|
||||
- Office
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
|
||||
Active Directory-based activation is implemented as a role service that relies on Active Directory Domain Services (ADDS) to store activation objects. Active Directory-based activation requires updating the forest schema with `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
|
||||
|
||||
Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
|
||||
Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) is activated automatically and transparently. Domain-joined computers stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts ADDS automatically, receives the activation object, and is activated without user intervention.
|
||||
|
||||
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
|
||||
To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the ADDS forest. The activation object is created by submitting a Key Management Service (KMS) host key to Microsoft, as shown in Figure 10.
|
||||
|
||||
The process proceeds as follows:
|
||||
|
||||
1. Do *one* of the following tasks:
|
||||
|
||||
- Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard.
|
||||
- Install the Volume Activation Services server role on a domain controller, then add a KMS host key by using the Volume Activation Tools Wizard.
|
||||
|
||||
- Extend the domain schema level to Windows Server 2012 R2 or later. Then add a KMS host key by using the VAMT.
|
||||
- Extend the domain schema level to Windows Server 2012 R2 or later, then add a KMS host key by using the VAMT.
|
||||
|
||||
2. Microsoft verifies the KMS host key, and an activation object is created.
|
||||
1. Microsoft verifies the KMS host key, and an activation object is created.
|
||||
|
||||
3. Client computers are activated by receiving the activation object from a domain controller during startup.
|
||||
1. Client computers are activated by receiving the activation object from a domain controller during startup.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
**Figure 10**. The Active Directory-based activation flow
|
||||
|
||||
For environments in which all computers are running a supported OS version, and they're joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers. You may be able to remove any KMS hosts from your environment.
|
||||
For environments where all computers are domain joined and running a supported OS version, Active Directory-based activation is the best option for activating client computers and servers. Active Directory-based activation might allow removal of any KMS hosts from the environment. If an environment contains one of the following items:
|
||||
|
||||
If an environment will continue to contain earlier versions of volume licensed operating systems and applications, or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status.
|
||||
- Earlier versions of volume licensed operating systems and applications
|
||||
- Workgroup computers outside the domain
|
||||
|
||||
Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain. They'll periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
|
||||
a KMS host is still needed to maintain activation status.
|
||||
|
||||
When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, Windows will change the status to "not activated" and the computer will try to activate with KMS.
|
||||
Clients that are activated with Active Directory-based activation maintain their activated state for up to 180 days since the last contact with the domain. They periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
|
||||
|
||||
When a reactivation event occurs, the client queries ADDS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and the GVLK match, then reactivation occurs. If the ADDS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain and the computer or the Software Protection service is restarted, Windows changes the status to **Not Activated** and the computer tries to activate with KMS.
|
||||
|
||||
## Step-by-step configuration: Active Directory-based activation
|
||||
|
||||
> [!NOTE]
|
||||
> You must be a member of the local **Administrators** group on all computers mentioned in these steps. You also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings.
|
||||
>
|
||||
> The administrator following these steps must be a member of the local **Administrators** group on all computers mentioned in these steps. Additionally, they also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings.
|
||||
|
||||
To configure Active Directory-based activation on a supported version of Windows Server, complete the following steps:
|
||||
|
||||
1. Use an account with **Domain Administrator** and **Enterprise Administrator** credentials to sign in to a domain controller.
|
||||
|
||||
2. Launch **Server Manager**.
|
||||
1. Launch **Server Manager**.
|
||||
|
||||
3. Add the **Volume Activation Services** role, as shown in Figure 11.
|
||||
1. Add the **Volume Activation Services** role, as shown in Figure 11.
|
||||
|
||||

|
||||
|
||||
**Figure 11**. Adding the Volume Activation Services role
|
||||
|
||||
4. Select the **Volume Activation Tools**, as shown in Figure 12.
|
||||
1. Select the **Volume Activation Tools**, as shown in Figure 12.
|
||||
|
||||

|
||||
|
||||
**Figure 12**. Launching the Volume Activation Tools
|
||||
|
||||
5. Select the **Active Directory-Based Activation** option, as shown in Figure 13.
|
||||
1. Select the **Active Directory-Based Activation** option, as shown in Figure 13.
|
||||
|
||||

|
||||
|
||||
**Figure 13**. Selecting Active Directory-Based Activation
|
||||
|
||||
6. Enter your KMS host key and optionally specify a display name, as shown in Figure 14.
|
||||
1. Enter the organization's KMS host key and optionally specify a display name, as shown in Figure 14.
|
||||
|
||||

|
||||

|
||||
|
||||
**Figure 14**. Entering your KMS host key
|
||||
**Figure 14**. Entering the organization's KMS host key
|
||||
|
||||
7. Activate your KMS host key by phone or online, as shown in Figure 15.
|
||||
1. Activate the organization's KMS host key by phone or online, as shown in Figure 15.
|
||||
|
||||

|
||||

|
||||
|
||||
**Figure 15**. Choosing how to activate your product
|
||||
**Figure 15**. Choosing how to activate the product
|
||||
|
||||
> [!NOTE]
|
||||
> To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
|
||||
> To activate a KMS Host Key/Customer Specific Volume License Key (CSVLK) for Microsoft Office, the version-specific Office Volume License Pack needs to be installed on the server where the Volume Activation Server Role is installed.
|
||||
>
|
||||
> - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
|
||||
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164).
|
||||
>
|
||||
> - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
|
||||
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342).
|
||||
>
|
||||
> - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
|
||||
>
|
||||
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446)
|
||||
> - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446).
|
||||
>
|
||||
> For more information, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory).
|
||||
|
||||
8. After activating the key, select **Commit**, and then select **Close**.
|
||||
1. After activating the key, select **Commit**, and then select **Close**.
|
||||
|
||||
## Verifying the configuration of Active Directory-based activation
|
||||
|
||||
To verify your Active Directory-based activation configuration, complete the following steps:
|
||||
To verify the Active Directory-based activation configuration, complete the following steps:
|
||||
|
||||
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that's configured by volume licensing.
|
||||
1. After configuring Active Directory-based activation, start a computer running an edition of Windows configured by volume licensing.
|
||||
|
||||
2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GLVK as the new product key.
|
||||
1. If the computer was previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GVLK as the new product key.
|
||||
|
||||
3. If the computer isn't joined to your domain, join it to the domain.
|
||||
1. If the computer isn't joined to the organization's domain, join it to the domain.
|
||||
|
||||
4. Sign in to the computer.
|
||||
1. Sign in to the computer.
|
||||
|
||||
5. Open Windows Explorer, right-click **Computer**, and then select **Properties**.
|
||||
1. Open Windows Explorer, right-click **Computer**, and then select **Properties**.
|
||||
|
||||
6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
|
||||
1. Scroll down to the **Windows activation** section, and verify that this client is activated.
|
||||
|
||||
> [!NOTE]
|
||||
> If you're using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that hasn't already been activated by KMS. The `slmgr.vbs /dlv` command also indicates whether KMS has been used.
|
||||
>
|
||||
> If using both KMS and Active Directory-based activation, it might be difficult to determine is a client was activated with KMS or by Active Directory-based activation. During the test, consider disabling KMS, or ensure to use a client computer not already activated by KMS. The `slmgr.vbs /dlv` command also indicates if KMS was used.
|
||||
>
|
||||
> To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md).
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
[Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
||||
|
@ -8,7 +8,7 @@ author: frankroj
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/16/2023
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: how-to
|
||||
ms.collection:
|
||||
- highpri
|
||||
@ -55,7 +55,7 @@ KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To
|
||||
cscript.exe slmgr.vbs /ipk <KMS_Key>
|
||||
```
|
||||
|
||||
1. Once the KMS key has been installed, it needs to be activated using one of the following methods:
|
||||
1. Once the KMS key is installed, it needs to be activated using one of the following methods:
|
||||
|
||||
- To activate online, in the elevated Command Prompt window, run the following command:
|
||||
|
||||
@ -85,11 +85,11 @@ KMS can be activated on client versions of Windows by using the `slmgr.vbs`. To
|
||||
|
||||
## Key Management Service in Windows Server
|
||||
|
||||
Installing a KMS host key on a computer running Windows Server allows you to activate computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
|
||||
Installing a KMS host key on a computer running Windows Server allows activation of computers running the same or earlier versions of Windows Server. Additionally, it also allows activation of client versions of Windows.
|
||||
|
||||
> [!IMPORTANT]
|
||||
>
|
||||
> You can't install a client KMS key into the KMS in Windows Server.
|
||||
> A client KMS key can't be installed into the KMS in Windows Server.
|
||||
|
||||
### Configure KMS in Windows Server
|
||||
|
||||
@ -125,7 +125,7 @@ Installing a KMS host key on a computer running Windows Server allows you to act
|
||||
|
||||
1. In the **Introduction to Volume Activation Tools**/**Introduction** page, select the **Next >** button.
|
||||
|
||||
1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer has been specified, select the **Next >** button.
|
||||
1. In the **Select Volume Activation Method**/**Activation Type** page, select the **Key Management Service (KMS)** option, and specify the computer that acts as the KMS host. This computer can be the server on which the KMS role was installed, or another server/client computer. After the server/computer is specified, select the **Next >** button.
|
||||
|
||||
1. In the **Manage KMS Host**/**Product Key Management** page, enter in the KMS host key in the text box under **Install your KMS host key**, and then select the **Commit** button.
|
||||
|
||||
@ -165,27 +165,27 @@ KMS volume activation can be verified from the KMS host server or from the clien
|
||||
|
||||
> [!NOTE]
|
||||
>
|
||||
> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
|
||||
> If Active Directory-based activation was configured before configuring KMS activation, a client computer must be used that doesn't first try to activate itself by using Active Directory-based activation. For example, a client computer that is a workgroup computer that isn't joined to a domain.
|
||||
|
||||
To verify that KMS volume activation works, complete the following steps:
|
||||
|
||||
1. On the KMS host, open the event log and confirm that DNS publishing is successful.
|
||||
|
||||
2. On a client computer, open an elevated Command Prompt window and run the command:
|
||||
1. On a client computer, open an elevated Command Prompt window and run the command:
|
||||
|
||||
```cmd
|
||||
cscript.exe slmgr.vbs /ato
|
||||
```
|
||||
|
||||
The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
|
||||
The `/ato` command causes the operating system to attempt activation by using whichever key is installed in the operating system. The response should show the license state and detailed Windows version information.
|
||||
|
||||
3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
|
||||
1. On a client computer or the KMS host, open an elevated Command Prompt window and run the command
|
||||
|
||||
```cmd
|
||||
cscript.exe slmgr.vbs /dlv
|
||||
```
|
||||
|
||||
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
|
||||
The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client isn't activated.
|
||||
|
||||
For more information about the use and syntax of the script `slmgr.vbs`, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
|
||||
|
||||
@ -193,6 +193,6 @@ For more information about the use and syntax of the script `slmgr.vbs`, see [Sl
|
||||
>
|
||||
> Clients require RPC over TCP/IP connectivity to the KMS host to successfully activate. For more information, see [Key Management Services (KMS) activation planning: Network requirements](/windows-server/get-started/kms-activation-planning#network-requirements) and [Remote Procedure Call (RPC) errors troubleshooting guidance](/troubleshoot/windows-client/networking/rpc-errors-troubleshooting).
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Key Management Services (KMS) activation planning](/windows-server/get-started/kms-activation-planning).
|
||||
|
@ -1,141 +0,0 @@
|
||||
---
|
||||
title: Activate clients running Windows 10 (Windows 10)
|
||||
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# Activate clients running Windows 10
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2022
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
|
||||
After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
|
||||
|
||||
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
|
||||
|
||||
If activation or reactivation is required, the following sequence occurs:
|
||||
|
||||
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
|
||||
|
||||
2. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
|
||||
|
||||
3. The computer tries to activate against Microsoft servers if it's configured with a MAK.
|
||||
|
||||
If the client isn't able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
|
||||
|
||||
## How Key Management Service works
|
||||
|
||||
KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
|
||||
|
||||
### Key Management Service activation thresholds
|
||||
|
||||
You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
|
||||
|
||||
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
|
||||
|
||||
When KMS clients are waiting for the KMS to reach the activation threshold, they'll connect to the KMS host every two hours to get the current activation count. They'll be activated when the threshold is met.
|
||||
|
||||
In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it's activated. If a computer running Windows 10 receives an activation count of 25 or more, it's activated.
|
||||
|
||||
### Activation count cache
|
||||
|
||||
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
|
||||
|
||||
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
|
||||
The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
|
||||
|
||||
### Key Management Service connectivity
|
||||
|
||||
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action, or KMS hosts and client computers can be manually configured based on network configuration and security requirements.
|
||||
|
||||
### Key Management Service activation renewal
|
||||
|
||||
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
|
||||
|
||||
### Publication of the Key Management Service
|
||||
|
||||
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
|
||||
|
||||
### Client discovery of the Key Management Service
|
||||
|
||||
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
|
||||
|
||||
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
|
||||
|
||||
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
|
||||
|
||||
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
|
||||
|
||||
### Domain Name System server configuration
|
||||
|
||||
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
|
||||
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
|
||||
|
||||
### Activating the first Key Management Service host
|
||||
|
||||
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
|
||||
|
||||
### Activating subsequent Key Management Service hosts
|
||||
|
||||
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
|
||||
|
||||
## How Multiple Activation Key works
|
||||
|
||||
A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
|
||||
|
||||
You can activate computers by using a MAK in two ways:
|
||||
|
||||
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
|
||||
|
||||

|
||||
|
||||
**Figure 16**. MAK independent activation
|
||||
|
||||
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
|
||||
|
||||

|
||||
|
||||
**Figure 17**. MAK proxy activation with the VAMT
|
||||
|
||||
A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
|
||||
|
||||
You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
|
||||
|
||||
### Multiple Activation Key architecture and activation
|
||||
|
||||
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
|
||||
|
||||
In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
|
||||
|
||||
## Activating as a standard user
|
||||
|
||||
Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 don't require administrator privileges for activation, but this change doesn't allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as "rearm."
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
|
@ -0,0 +1,158 @@
|
||||
---
|
||||
title: Activate clients running Windows
|
||||
description: Activate clients running Windows after configuring Key Management Service (KMS) or Active Directory-based activation.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Activate clients running Windows
|
||||
|
||||
> [!TIP]
|
||||
>
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
After Key Management Service (KMS) or Active Directory-based activation is configured in a network, activating a client running Windows is easy. If the computer is configured with a Generic Volume License Key (GVLK), IT or the user don't need to take any action. It just works.
|
||||
|
||||
Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
|
||||
|
||||
If activation or reactivation is required, the following sequence occurs:
|
||||
|
||||
1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object meets the following requirements:
|
||||
|
||||
- Matches the edition of the software that is installed
|
||||
- Has a matching GVLK
|
||||
|
||||
then the computer is activated (or reactivated). The computer doesn't need to activate again for 180 days although the operating system attempts reactivation at shorter, regular intervals.
|
||||
|
||||
1. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer issues a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
|
||||
|
||||
1. The computer tries to activate against Microsoft servers if it's configured with a MAK.
|
||||
|
||||
If the client isn't able to activate itself successfully, it periodically tries again. The frequency of the retry attempts depends on the current licensing state and whether the client computer successfully activated in the past. For example, if the client computer previously used Active Directory-based activation to activate, it periodically tries to contact the domain controller at each restart.
|
||||
|
||||
## How Key Management Service works
|
||||
|
||||
KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
|
||||
|
||||
### Key Management Service activation thresholds
|
||||
|
||||
Physical computers and virtual machines can activate by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers. This minimum is called the activation threshold. KMS clients will be activated only after this threshold is met. Each KMS host counts the number of computers that requested activation until the threshold is met.
|
||||
|
||||
A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running a currently supported version of Windows client, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine running a currently supported version of Windows client, it receives an activation count of 3, and so on. None of these computers are activated because an activation count of 25 or more must be reached.
|
||||
|
||||
When KMS clients are waiting for the KMS to reach the activation threshold, they connect to the KMS host every two hours to get the current activation count. They're activated once the threshold is met.
|
||||
|
||||
In our example, if the next computer that contacts the KMS host is running a currently supported version of Windows Server, it receives an activation count of 4 since activation counts are cumulative. If a computer running a currently supported version of Windows Server receives an activation count that is 5 or more, it's activated. If a computer running a currently supported version of Windows client receives an activation count of 25 or more, it's activated.
|
||||
|
||||
### Activation count cache
|
||||
|
||||
To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
|
||||
|
||||
However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed sooner than 30 days.
|
||||
|
||||
The type of client computer that is attempting to activate sets the total size of the cache. For example, if a KMS host receives activation requests only from servers, the cache holds only 10 client IDs, twice the required threshold of 5. However, if a client computer running Windows client contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
|
||||
|
||||
### Key Management Service connectivity
|
||||
|
||||
KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients use DNS to publish and find the KMS. The default settings can be used, which require little or no administrative action. However, the KMS hosts and client computers can be manually configured based on network configuration and security requirements.
|
||||
|
||||
### Key Management Service activation renewal
|
||||
|
||||
KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
|
||||
|
||||
### Publication of the Key Management Service
|
||||
|
||||
The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, one of the following actions needs to be taken:
|
||||
|
||||
- The DNS records must be published manually.
|
||||
- Client computers must be configured to connect to specific KMS hosts.
|
||||
|
||||
### Client discovery of the Key Management Service
|
||||
|
||||
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers. This feature allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
|
||||
|
||||
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows specifying which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
|
||||
|
||||
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
|
||||
|
||||
By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688, although the default port can be changed. After a client computer establishes a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
|
||||
|
||||
### Domain Name System server configuration
|
||||
|
||||
The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on:
|
||||
|
||||
- A DNS server that is running Microsoft software.
|
||||
- DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136).
|
||||
|
||||
For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
|
||||
The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record. This requirement needs to occur in each DNS domain that contains the KMS service (SRV) resource records.
|
||||
|
||||
### Activating the first Key Management Service host
|
||||
|
||||
KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
|
||||
|
||||
### Activating subsequent Key Management Service hosts
|
||||
|
||||
Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After a KMS host is activated, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, additional activations can be requested for an organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
|
||||
|
||||
## How Multiple Activation Key works
|
||||
|
||||
A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
|
||||
|
||||
Computers can be activated by using a MAK in two ways:
|
||||
|
||||
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
|
||||
|
||||

|
||||
|
||||
**Figure 16**. MAK independent activation
|
||||
|
||||
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. MAK proxy activation can be configured by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
|
||||
|
||||

|
||||
|
||||
**Figure 17**. MAK proxy activation with the VAMT
|
||||
|
||||
MAK is recommended for:
|
||||
|
||||
- Computers that rarely or never connect to the corporate network.
|
||||
- Environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
|
||||
|
||||
MAK can be used for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. MAK can also be used on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
|
||||
|
||||
### Multiple Activation Key (MAK) architecture and activation
|
||||
|
||||
MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
|
||||
|
||||
In MAK proxy activation, the VAMT:
|
||||
|
||||
- Installs a MAK product key on a client computer.
|
||||
- Obtains the installation ID from the target computer.
|
||||
- Sends the installation ID to Microsoft on behalf of the client.
|
||||
- Obtains a confirmation ID.
|
||||
|
||||
The tool then activates the client computer by installing the confirmation ID.
|
||||
|
||||
## Activating as a standard user
|
||||
|
||||
Currently supported versions of Windows don't require administrator privileges for activation. However, an administrator account is still required for other activation or license-related tasks, such as "rearm."
|
||||
|
||||
## Related content
|
||||
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
@ -1,19 +1,19 @@
|
||||
---
|
||||
title: Add and Manage Products (Windows 10)
|
||||
description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
|
||||
title: Add and Manage Products
|
||||
description: Add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, the products that are installed in the network can be managed.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# Add and manage products
|
||||
|
||||
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
|
||||
This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, the products that are installed in the network can be managed.
|
||||
|
||||
## In this Section
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Appendix Information sent to Microsoft during activation (Windows 10)
|
||||
title: Appendix Information sent to Microsoft during activation
|
||||
description: Learn about the information sent to Microsoft during activation.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
@ -8,73 +8,78 @@ author: frankroj
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Appendix: Information sent to Microsoft during activation
|
||||
|
||||
**Applies to:**
|
||||
> [!TIP]
|
||||
>
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
When a computer running a currently supported version of Windows is activated, the following information is sent to Microsoft:
|
||||
|
||||
**Looking for retail activation?**
|
||||
- The Microsoft product code (a five-digit code that identifies the Windows product being activated).
|
||||
|
||||
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
- A channel ID or site code that identifies how the Windows product was originally obtained. For example, a channel ID or site code identifies whether the product was:
|
||||
|
||||
When you activate a computer running Windows 10, the following information is sent to Microsoft:
|
||||
- Originally purchased from a retail store.
|
||||
- Obtained as an evaluation copy.
|
||||
- Obtained through a volume licensing program.
|
||||
- Preinstalled by a computer manufacturer.
|
||||
|
||||
- The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
|
||||
- A channel ID or site code that identifies how the Windows product was originally obtained
|
||||
- The date of installation and whether the installation was successful.
|
||||
|
||||
For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
|
||||
- Information that helps confirm that the Windows product key isn't altered.
|
||||
|
||||
- The date of installation and whether the installation was successful
|
||||
- Information that helps confirm that your Windows product key hasn't been altered
|
||||
- Computer make and model.
|
||||
|
||||
- Computer make and model
|
||||
- Version information for the operating system and software.
|
||||
|
||||
- Version information for the operating system and software
|
||||
- Region and language settings.
|
||||
|
||||
- Region and language settings
|
||||
- A unique number called a *globally unique identifier* (GUID), which is assigned to the computer.
|
||||
|
||||
- A unique number called a *globally unique identifier*, which is assigned to your computer
|
||||
- Product key (hashed) and product ID.
|
||||
|
||||
- Product key (hashed) and product ID
|
||||
- BIOS name, revision number, and revision date.
|
||||
|
||||
- BIOS name, revision number, and revision date
|
||||
- Volume serial number (hashed) of the hard disk drive.
|
||||
|
||||
- Volume serial number (hashed) of the hard disk drive
|
||||
|
||||
- The result of the activation check
|
||||
- The result of the activation check.
|
||||
|
||||
This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
|
||||
|
||||
- The activation exploit's identifier
|
||||
- The identifier of the activation exploit.
|
||||
|
||||
- The activation exploit's current state, such as cleaned or quarantined
|
||||
- The current state of the activation exploit, such as cleaned or quarantined.
|
||||
|
||||
- Computer manufacturer's identification
|
||||
- Computer manufacturer's identification.
|
||||
|
||||
- The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
|
||||
- The file name and hash of the activation exploit in addition to a hash of related software components that might indicate the presence of an activation exploit.
|
||||
|
||||
- The name and a hash of the contents of your computer's startup instructions file
|
||||
- The name and a hash of the contents of the computer's startup instructions file.
|
||||
|
||||
- If your Windows license is on a subscription basis, information about how your subscription works
|
||||
- If the Windows license is on a subscription basis, information about how the subscription works.
|
||||
|
||||
Standard computer information is also sent, but your computer's IP address is only kept temporarily.
|
||||
Standard computer information is also sent, but the computer's IP address is only kept temporarily.
|
||||
|
||||
## Use of information
|
||||
|
||||
Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
|
||||
For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
|
||||
Microsoft uses the information to confirm a properly licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
|
||||
|
||||
## Related articles
|
||||
For more information, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
|
||||
|
||||
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
## Related content
|
||||
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Install and Configure VAMT (Windows 10)
|
||||
title: Install and Configure VAMT
|
||||
description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
@ -7,7 +7,7 @@ ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
@ -22,8 +22,8 @@ This section describes how to install and configure the Volume Activation Manage
|
||||
|-------|------------|
|
||||
|[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
|
||||
|[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
|
||||
|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
|
||||
|[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers in the network to work with VAMT. |
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Introduction to VAMT](introduction-vamt.md)
|
||||
- [Introduction to VAMT](introduction-vamt.md).
|
||||
|
@ -7,7 +7,7 @@ ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/13/2023
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
appliesto:
|
||||
@ -22,11 +22,11 @@ appliesto:
|
||||
|
||||
This article describes how to install the Volume Activation Management Tool (VAMT). VAMT is installed as part of the Windows Assessment and Deployment Kit (ADK) for Windows.
|
||||
|
||||
>[!IMPORTANT]
|
||||
> [!IMPORTANT]
|
||||
>
|
||||
> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you don't have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
|
||||
> VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer but administrator privileges aren't available, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
|
||||
|
||||
>[!NOTE]
|
||||
> [!NOTE]
|
||||
>
|
||||
> The VAMT Microsoft Management Console snap-in ships as an x86 package.
|
||||
|
||||
@ -50,9 +50,9 @@ This article describes how to install the Volume Activation Management Tool (VAM
|
||||
|
||||
1. In the **Specify SQL Server install location** screen under **INSTALL LOCATION \*:**, specify an install location or use the default path, and then select the **Install** button.
|
||||
|
||||
1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name will be used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
|
||||
1. Once the installation is complete, in the **Installation Has completed successfully!** page, under **INSTANCE NAME**, note the instance name for the installation. The instance name is used later in the [Configure VAMT to connect to SQL Server Express or full SQL Server](#configure-vamt-to-connect-to-sql-server-express-or-full-sql-server) section.
|
||||
|
||||
1. Once the instance name has been noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
|
||||
1. Once the instance name is noted, select the **Close** button, and then select the **Yes** button to confirm exiting the installer.
|
||||
|
||||
## Install VAMT using the ADK
|
||||
|
||||
@ -84,7 +84,7 @@ This article describes how to install the Volume Activation Management Tool (VAM
|
||||
|
||||
1. Next to **Database:**, add a name for the database.
|
||||
|
||||
1. Once the database server and database names have been entered, select the **Connect** button.
|
||||
1. Once the database server and database names are entered, select the **Connect** button.
|
||||
|
||||
1. Select the **Yes** button to create the database.
|
||||
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
title: Manage Activations (Windows 10)
|
||||
title: Manage Activations
|
||||
description: Learn how to manage activations and how to activate a client computer by using various activation methods.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
@ -1,19 +1,19 @@
|
||||
---
|
||||
title: Manage Product Keys (Windows 10)
|
||||
title: Manage Product Keys
|
||||
description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# Manage Product Keys
|
||||
|
||||
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product, or products you select in the VAMT database.
|
||||
This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After a product key is added to VAMT, that product key can be installed on a product, or products selected in the VAMT database.
|
||||
|
||||
## In this Section
|
||||
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
title: Manage VAMT Data (Windows 10)
|
||||
title: Manage VAMT Data
|
||||
description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Monitor activation (Windows 10)
|
||||
title: Monitor activation
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
@ -9,34 +9,31 @@ author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Monitor activation
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
|
||||
The success of the activation process for a computer running Windows can be monitored in several ways. The most popular methods include:
|
||||
|
||||
- Using the Volume Licensing Service Center website to track use of MAK keys.
|
||||
|
||||
- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
|
||||
|
||||
- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
|
||||
- Using Windows Management Instrumentation (WMI) to view licensing status. WMI makes licensing status available to non-Microsoft or custom tools that can access WMI. Windows PowerShell can also be used to access WMI information.
|
||||
|
||||
- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
|
||||
|
||||
@ -44,8 +41,8 @@ You can monitor the success of the activation process for a computer running Win
|
||||
|
||||
- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
|
||||
|
||||
- The VAMT provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
|
||||
- The Volume Activation Management Tool (VAMT) provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
[Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Plan for volume activation (Windows 10)
|
||||
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
|
||||
title: Plan for volume activation
|
||||
description: Product activation is the process of validating software with the manufacturer after it's installed on a specific computer.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
@ -9,33 +9,30 @@ author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Plan for volume activation
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and hasn't been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
|
||||
*Product activation* is the process of validating software with the manufacturer after it's installed on a specific computer. Activation confirms that the product is genuine and not a fraudulent copy. Activation also confirms that the product key or serial number is valid and isn't compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
|
||||
|
||||
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
|
||||
During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information might include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
|
||||
|
||||
>[!NOTE]
|
||||
>
|
||||
>The IP address is used only to verify the location of the request, because some editions of Windows (such as "Starter" editions) can only be activated within certain geographical target markets.
|
||||
|
||||
## Distribution channels and activation
|
||||
@ -44,8 +41,9 @@ In general, Microsoft software is obtained through three main channels: retail,
|
||||
|
||||
### Retail activations
|
||||
|
||||
The retail activation method hasn't changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
|
||||
Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
|
||||
For retail activation, each purchased copy comes with one unique product key, often referred to as a retail key. The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
|
||||
|
||||
Other distribution scenarios also exist. Product key cards are available to activate products that are preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys might come with media that contains software, they can come as a software shipment, or they might be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
|
||||
|
||||
### Original equipment manufacturer
|
||||
|
||||
@ -57,75 +55,75 @@ OEM activation is valid as long as the customer uses the OEM-provided image on t
|
||||
|
||||
Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft. There's a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
|
||||
|
||||
- Have the license preinstalled through the OEM
|
||||
- Have the license preinstalled through the OEM.
|
||||
- Purchase a fully packaged retail product.
|
||||
|
||||
- Purchase a fully packaged retail product
|
||||
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. Before the upgrade rights obtained through volume licensing can be exercised, an existing retail or OEM operating system license is needed for each computer running currently supported versions of Windows.
|
||||
|
||||
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
|
||||
|
||||
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Online. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
|
||||
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Codespace. These volume licenses might contain specific restrictions or other changes to the general terms applicable to volume licensing.
|
||||
|
||||
> [!NOTE]
|
||||
> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
|
||||
>
|
||||
> Some editions of the operating system, such as Windows Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
|
||||
|
||||
## Activation models
|
||||
|
||||
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
|
||||
For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department don't need to take any activation steps.
|
||||
|
||||
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
|
||||
With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps track and manage keys. For each retail activation, the following options can be chosen:
|
||||
|
||||
- Online activation
|
||||
- Online activation.
|
||||
- Telephone activation.
|
||||
- VAMT proxy activation.
|
||||
|
||||
- Telephone activation
|
||||
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation with retail keys is sometimes used when an IT department wants to centralize retail activations. VAMT can also be used when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, the best method or combination of methods must be determined to use in the environment. For currently supported versions of Windows Pro and Enterprise, one of the following three models can be chosen:
|
||||
|
||||
- VAMT proxy activation
|
||||
|
||||
Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
|
||||
|
||||
- MAKs
|
||||
|
||||
- KMS
|
||||
|
||||
- Active Directory-based activation
|
||||
- Multiple Activation Keys (MAK).
|
||||
- KMS.
|
||||
- Active Directory-based activation.
|
||||
|
||||
> [!NOTE]
|
||||
> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
|
||||
>
|
||||
> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact the Microsoft Account Team or service representative.
|
||||
|
||||
### Multiple activation key
|
||||
|
||||
A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they don't meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
|
||||
allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that doesn't have enough computers to use the KMS.
|
||||
A Multiple Activation Key (MAK) is commonly used in small or mid-sized organizations that have a volume licensing agreement, but don't meet the requirements to operate a KMS. MAK can also be used if a simpler approach is preferred. A MAK also allows permanent activation of:
|
||||
|
||||
- Computers that are isolated from the KMS.
|
||||
- Computers that are part of an isolated network that doesn't have enough computers to use the KMS.
|
||||
|
||||
To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
|
||||
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of activations that have been performed with each key and how many remain.
|
||||
|
||||
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
|
||||
In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of performed activations with each key and how many activations remain.
|
||||
|
||||
Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases. However, the number of activations that are available can be increased with the MAK by calling Microsoft.
|
||||
|
||||
### Key Management Service
|
||||
|
||||
With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that doesn't require a dedicated system and can easily be cohosted on a system that provides other services.
|
||||
|
||||
Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
|
||||
Volume editions of currently supported versions of Windows and Windows Server automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
|
||||
|
||||
The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
|
||||
The KMS requires a minimum number of computers, either physical computers or virtual machines, in a network environment. The organization must have at least five computers to activate currently supported versions of Windows Server and at least 25 computers to activate client computers running currently supported versions of Windows client. These minimums are referred to as *activation thresholds*.
|
||||
|
||||
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. It will be rare that more than two KMS hosts are used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
|
||||
Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations often deploy two KMS hosts to ensure availability. The KMS can be hosted on a client computer or on a server. Setting up KMS is discussed later in this guide.
|
||||
|
||||
### Active Directory-based activation
|
||||
|
||||
Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
|
||||
Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running currently supported versions of Windows or Windows Server queries ADDS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
|
||||
|
||||
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
|
||||
Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAK, Active Directory-based activation provides a way to activate computers running currently supported versions of Windows and Windows Server as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere where there's already a domain presence.
|
||||
|
||||
## Network and connectivity
|
||||
|
||||
A modern business network has many nuances and interconnections. This section examines evaluating your network and the connections that are available to determine how volume activations will occur.
|
||||
A modern business network has many nuances and interconnections. This section examines evaluating the organization's network and the connections that are available to determine how volume activations occur.
|
||||
|
||||
### Core network
|
||||
|
||||
Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the majority of the business network.
|
||||
The organization's core network is that part of the network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet. However, Internet connectivity isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or ADDS is configured and active. The organization's core network likely consists of many network segments. In many organizations, the core network makes up most of the business network.
|
||||
|
||||
In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
|
||||
In the core network, a centralized KMS solution is recommended. Active Directory-based activation can also be used, but in many organizations, KMS might still be required to computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in the organization are running currently supported versions of Windows.
|
||||
|
||||
A typical core network that includes a KMS host is shown in Figure 1.
|
||||
|
||||
@ -135,19 +133,29 @@ A typical core network that includes a KMS host is shown in Figure 1.
|
||||
|
||||
### Isolated networks
|
||||
|
||||
In a large network, it's all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
|
||||
In a large network, some segments might be isolated, either for security reasons or because of geography or connectivity issues.
|
||||
|
||||
#### Isolated for security
|
||||
|
||||
Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
|
||||
A network segment isolated from the core network by a firewall or disconnected from other networks is sometimes called a *high-security zone*. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
|
||||
|
||||
If the isolated network can access the core network by using outbound requests on TCP port 1688, and it's allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
|
||||
If the isolated network can:
|
||||
|
||||
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
|
||||
- Access the core network by using outbound requests on TCP port 1688
|
||||
- Allowed to receive remote procedure calls (RPCs)
|
||||
|
||||
If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
|
||||
activation can be performed by using the KMS in the core network, avoiding the need to reach additional activation thresholds.
|
||||
|
||||
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they're placed in the isolated network.
|
||||
If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as:
|
||||
|
||||
- Using Lightweight Directory Access Protocol (LDAP) for queries
|
||||
- Using Domain Name Service (DNS) for name resolution
|
||||
|
||||
then this scenario is a good opportunity to use Active Directory-based activation for currently supported versions of Windows and Windows Server.
|
||||
|
||||
If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, a KMS host can be set up in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it won't reach the KMS activation threshold. In that case, MAKs can be used for activation.
|
||||
|
||||
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option, but VAMT proxy activation might also be possible. MAKs can also be used to activate new computers during setup, before they're placed in the isolated network.
|
||||
|
||||

|
||||
|
||||
@ -155,104 +163,115 @@ If the network is fully isolated, MAK-independent activation would be the recomm
|
||||
|
||||
#### Branch offices and distant networks
|
||||
|
||||
From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
|
||||
From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. There are several options in these situations:
|
||||
|
||||
- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
|
||||
- **Active Directory-based activation**. In any site where the client computers are running currently supported versions of Windows, Active Directory-based activation is supported, and it can be activated by joining the domain.
|
||||
|
||||
- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
|
||||
|
||||
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
|
||||
- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS, perhaps through a virtual private network (VPN) to the core network, that KMS can be used. Using the existing KMS means that the activation threshold only needs to be met on that server.
|
||||
|
||||
- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
|
||||
|
||||
### Disconnected computers
|
||||
|
||||
Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this branch office an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
|
||||
Some users might be in remote locations or might travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. This branch office can be considered an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on how often the computers connect to the core network.
|
||||
|
||||
If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it doesn't support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
|
||||
Active Directory-based activation can be used on computers when they meet the following conditions:
|
||||
|
||||
- The computer is joined to the domain.
|
||||
- The computer is running a currently supported version of Windows or Windows Server.
|
||||
- The computer connects to the domain at least once every 180 days, either directly or through a VPN.
|
||||
|
||||
Otherwise for computers that rarely or never connect to the network, MAK independent activation should be used either via the telephone or the Internet.
|
||||
|
||||
### Test and development labs
|
||||
|
||||
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they can't activate immediately.
|
||||
Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Currently supported editions of Windows that include volume licensing operate normally, even if they can't activate immediately.
|
||||
|
||||
If you've ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they'll be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
|
||||
In labs that have a high turnover of computers and a few KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
|
||||
If the test or development copies of the operating system are within the license agreement, the lab computers might not need to be activated if they're rebuilt frequently. If the lab computers need to be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
|
||||
In labs that have a high turnover of computers and a few KMS clients, the KMS activation count must be monitored. The time that the KMS caches the activation requests might need to be adjusted. The default is 30 days.
|
||||
|
||||
## Mapping your network to activation methods
|
||||
## Mapping the network to activation methods
|
||||
|
||||
Now it's time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you've collected the information you need to determine which activation methods will work best for you. You can fill in information in Table 1 to help you make this determination.
|
||||
By evaluating network connectivity and the numbers of computers at each site, the information needed to determine which activation methods work best can be determined. This information can be filled in Table 1 to help make this determination.
|
||||
|
||||
**Table 1**. Criteria for activation methods
|
||||
|
||||
|Criterion |Activation method |
|
||||
|----------|------------------|
|
||||
|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
|
||||
|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<div class="alert">**Note**<br>The core network must meet the KMS activation threshold.</div> |KMS (central) |
|
||||
|Number of computers that don't connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
|
||||
|Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
|
||||
|Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
|
||||
|Number of computers in isolated networks where the KMS activation threshold isn't met |MAK |
|
||||
|Number of computers in test and development labs that won't be activated |None|
|
||||
|Number of computers that don't have a retail volume license |Retail (online or phone) |
|
||||
|Number of computers that don't have an OEM volume license |OEM (at factory) |
|
||||
|Total number of computer activations<div class="alert">**Note**<br>This total should match the total number of licensed computers in your organization.</div> |
|
||||
| Criterion | Activation method |
|
||||
|---|---|
|
||||
| Number of domain-joined computers that will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. | Active Directory-based activation |
|
||||
| Number of computers in the core network that will connect at least every 180 days, either directly or through VPN. The core network must meet the KMS activation threshold. | KMS (central) |
|
||||
| Number of computers that don't connect to the network at least once every 180 days, or if no network meets the activation threshold. | MAK |
|
||||
| Number of computers in semi-isolated networks that have connectivity to the KMS in the core network. | KMS (central) |
|
||||
| Number of computers in isolated networks where the KMS activation threshold is met. | KMS (local) |
|
||||
| Number of computers in isolated networks where the KMS activation threshold isn't met. | MAK |
|
||||
| Number of computers in test and development labs that won't be activated. | None |
|
||||
| Number of computers that don't have a retail volume license. | Retail (online or phone) |
|
||||
| Number of computers that don't have an OEM volume license. | OEM (at factory) |
|
||||
| Total number of computer activations. This total should match the total number of licensed computers in the organization. | |
|
||||
|
||||
## Choosing and acquiring keys
|
||||
|
||||
When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
|
||||
When it's know which keys are needed, the keys must be obtained. Generally speaking, volume licensing keys are collected in two ways:
|
||||
|
||||
- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
|
||||
|
||||
- Contact your [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
|
||||
- Contact the [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
|
||||
|
||||
### KMS host keys
|
||||
|
||||
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
|
||||
A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Some documentation and Internet references use the term KMS key, but CSVLK is the proper name for current documentation and management tools.
|
||||
|
||||
A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You'll need a KMS host key for any KMS that you want to set up and if you're going to use Active Directory-based activation.
|
||||
A KMS host running a currently supported version of Windows Server can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in ADDS, as described later in this guide. A KMS host key is needed for any KMS that is set up. Additionally, it needs to be determined if Active Directory-based activation will be used.
|
||||
|
||||
### Generic volume licensing keys
|
||||
|
||||
When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you're creating. GVLKs are also referred to as KMS client setup keys.
|
||||
If computers are activated with KMS or Active Directory-based activation when using custom installation media or an image to install Windows, install a generic volume license key (GVLK) when creating the custom installation media or image. The GVLK should match the edition of Windows being installed.
|
||||
|
||||
Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK won't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
|
||||
Installation media from Microsoft for Enterprise editions of the Windows operating system might already contain the GVLK. One GVLK is available for each type of installation. The GVLK doesn't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
|
||||
|
||||
Typically, you won't need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it's being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS client setup keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
|
||||
Typically, a GVLK doesn't need to be manually entered unless a computer is:
|
||||
|
||||
- Activated with a MAK or a retail key.
|
||||
- Being converted to a KMS activation or to Active Directory-based activation.
|
||||
|
||||
If the GVLK for a particular client edition needs to be located, see [Key Management Services (KMS) client activation and product keys](/windows-server/get-started/kms-client-activation-keys).
|
||||
|
||||
### Multiple activation keys
|
||||
|
||||
You'll also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
|
||||
MAK keys with the appropriate number of activations available are also needed. The number of times a MAK has been used can be seen on the Volume Licensing Service Center website or in the VAMT.
|
||||
|
||||
## Selecting a KMS host
|
||||
|
||||
The KMS doesn't require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
|
||||
The KMS doesn't require a dedicated server. It can be cohosted with other services, such as ADDS domain controllers and read-only domain controllers.
|
||||
|
||||
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
|
||||
KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running currently supported versions of Windows Server can activate any Windows client or server operating system that supports volume activation. A KMS host that is running a currently supported version of Windows client can only activate computers running a currently supported version of Windows client.
|
||||
|
||||
A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
|
||||
A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS might not be needed. Most organizations can use as few as two KMS hosts for their entire infrastructure.
|
||||
|
||||
The flow of KMS activation is shown in Figure 3, and it follows this sequence:
|
||||
|
||||
1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
|
||||
|
||||
2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
|
||||
1. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
|
||||
|
||||
3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment doesn't support DNS dynamic update protocol.)
|
||||
1. The KMS host updates resource records in DNS to allow clients to locate the KMS host. Manually adding DNS records is required if the environment doesn't support DNS dynamic update protocol.
|
||||
|
||||
4. A client configured with a GVLK uses DNS to locate the KMS host.
|
||||
1. A client configured with a GVLK uses DNS to locate the KMS host.
|
||||
|
||||
5. The client sends one packet to the KMS host.
|
||||
1. The client sends one packet to the KMS host.
|
||||
|
||||
6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
|
||||
1. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
|
||||
|
||||
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
|
||||
1. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that requested activation from this KMS host.
|
||||
|
||||
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold hasn't yet been met, the client will try again.
|
||||
1. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold isn't met, the client tries again.
|
||||
|
||||

|
||||
|
||||
**Figure 3**. KMS activation flow
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
||||
|
@ -1,39 +1,40 @@
|
||||
---
|
||||
title: Update Product Status (Windows 10)
|
||||
title: Update Product Status
|
||||
description: Learn how to use the Update license status function to add the products that are installed on the computers.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# Update product status
|
||||
|
||||
After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
|
||||
After computers are added to the Volume Activation Management Tool (VAMT) database, the **Update license status** function needs to be used to add the products that are installed on the computers. The **Update license status** can also be used at any time to retrieve the most current license status for any products in the VAMT database.
|
||||
To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
|
||||
|
||||
> [!NOTE]
|
||||
The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
|
||||
> The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
|
||||
|
||||
## Update the license status of a product
|
||||
|
||||
1. Open VAMT.
|
||||
|
||||
2. In the **Products** list, select one or more products that need to have their status updated.
|
||||
1. In the **Products** list, select one or more products that need to have their status updated.
|
||||
|
||||
3. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer.
|
||||
1. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if updating products that require administrator credentials different from the ones used to log into the computer.
|
||||
|
||||
4. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
|
||||
1. If supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
|
||||
|
||||
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
|
||||
VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product appears in the product list view in the center pane.
|
||||
|
||||
> [!NOTE]
|
||||
If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
|
||||
>
|
||||
> If a previously discovered Microsoft Office product is uninstalled from the remote computer, updating its licensing status causes the entry to be deleted from the **Office** product list view that results in the total number of discovered products being smaller. However, the Windows installation of the same computer isn't deleted and is always be shown in the **Windows** products list view.
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Add and Manage Products](add-manage-products-vamt.md)
|
||||
- [Add and Manage Products](add-manage-products-vamt.md).
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Use the Volume Activation Management Tool (Windows 10)
|
||||
title: Use the Volume Activation Management Tool
|
||||
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
@ -7,49 +7,47 @@ ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Use the Volume Activation Management Tool
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
|
||||
|
||||
By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It's a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
|
||||
Volume, retail, and Multiple Activation Keys (MAK) activation process for Windows, Office, and select other Microsoft products can be automated and centrally managed using VAMT. The VAMT can manage volume activation by using MAK or Key Management Service (KMS). It's a standard Microsoft Management Console snap-in.
|
||||
|
||||
The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
|
||||
For currently supported versions of Windows Server, VAMT can be installed directly from Server Manager by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
|
||||
|
||||
In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
|
||||
For currently supported versions of Windows client, VAMT can be installed as part of the Windows Assessment and Deployment Kit (Windows ADK). The Windows ADK is a free download. For more information, including links to download the Windows ADK, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
|
||||
|
||||
## Activating with the Volume Activation Management Tool
|
||||
|
||||
You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
|
||||
VAMT can be used to complete the activation process in products by using MAK and retail keys. Computers can be activated either individually or in groups. The VAMT enables two activation scenarios:
|
||||
|
||||
- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
|
||||
- **Online activation**. Online activation enables activation over the Internet any products that are installed with MAK, KMS host, or retail product keys. One or more connected computers can be activated within a network. This process requires each product communicate activation information directly to Microsoft.
|
||||
|
||||
- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
|
||||
By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
|
||||
- **Proxy activation**. This activation method enables volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
|
||||
|
||||
When this method is used, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where the organization has a mix of retail, MAK, and KMS-based activations.
|
||||
|
||||
## Tracking products and computers with the Volume Activation Management Tool
|
||||
|
||||
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
|
||||
The VAMT provides an overview of the activation and licensing status of computers across an organization's network, as shown in Figure 18. Several prebuilt reports are also available to help proactively manage licensing.
|
||||
|
||||

|
||||
|
||||
@ -57,7 +55,7 @@ The VAMT provides an overview of the activation and licensing status of computer
|
||||
|
||||
## Tracking key usage with the Volume Activation Management Tool
|
||||
|
||||
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
|
||||
The VAMT makes it easier to track the various keys that are issued to an organization. Each key can be entered into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
|
||||
|
||||

|
||||
|
||||
@ -67,17 +65,17 @@ The VAMT makes it easier to track the various keys that are issued to your organ
|
||||
|
||||
The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
|
||||
|
||||
- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
|
||||
- **Adding and removing computers**. VAMT can be used to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
|
||||
|
||||
- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
|
||||
- **Discovering products**. VAMT can be used to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
|
||||
|
||||
- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
|
||||
|
||||
For more information, see:
|
||||
|
||||
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
|
||||
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
|
||||
- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md).
|
||||
- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md).
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
|
||||
- [Volume Activation for Windows](volume-activation-windows.md).
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
title: VAMT Requirements (Windows 10)
|
||||
description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
|
||||
title: VAMT Requirements
|
||||
description: In this article, learn about the product key and system requirements for Volume Activation Management Tool (VAMT).
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
@ -36,9 +36,9 @@ The following table lists the system requirements for the VAMT host computer.
|
||||
| External Drive | Removable media (Optional) |
|
||||
| Display | 1024x768 or higher resolution monitor |
|
||||
| Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
|
||||
| Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
|
||||
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
|
||||
| Operating System | Currently supported versions of [Windows client](/windows/release-health/supported-versions-windows-client) and [Windows Server](/windows/release-health/windows-server-release-info). |
|
||||
| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell, which is included with all currently supported versions of Windows.</li></ul> |
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Install and configure VAMT](install-configure-vamt.md)
|
||||
- [Install and configure VAMT](install-configure-vamt.md).
|
||||
|
@ -1,28 +1,28 @@
|
||||
---
|
||||
title: VAMT Step-by-Step Scenarios (Windows 10)
|
||||
title: VAMT Step-by-Step Scenarios
|
||||
description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# VAMT step-by-step scenarios
|
||||
|
||||
This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started.
|
||||
This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios. To get started, some of the most common scenarios are described here.
|
||||
|
||||
## In this section
|
||||
|
||||
|Article |Description |
|
||||
|-------|------------|
|
||||
|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
|
||||
|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network. Additionally, it also describes how to instruct these products to contact Microsoft over the Internet for activation. |
|
||||
|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
|
||||
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
|
||||
|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of currently supported versions of Windows and Microsoft Office use KMS for activation. |
|
||||
|
||||
## Related articles
|
||||
## Related content
|
||||
|
||||
- [Introduction to VAMT](introduction-vamt.md)
|
||||
- [Introduction to VAMT](introduction-vamt.md).
|
||||
|
@ -7,15 +7,16 @@ ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-fundamentals
|
||||
author: frankroj
|
||||
ms.date: 11/07/2022
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: overview
|
||||
---
|
||||
|
||||
# Volume Activation Management Tool (VAMT) technical reference
|
||||
|
||||
The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
|
||||
The Volume Activation Management Tool (VAMT) allows automation and central management of the retail-activation process for Windows, Office, and select other Microsoft products. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version.
|
||||
|
||||
> [!IMPORTANT]
|
||||
>
|
||||
> VAMT is designed to manage volume activation for all currently supported versions of Windows, Windows Server, and Office.
|
||||
|
||||
VAMT is only available in an EN-US (x86) package.
|
||||
@ -26,7 +27,7 @@ VAMT is only available in an EN-US (x86) package.
|
||||
|------|------------|
|
||||
|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
|
||||
|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. |
|
||||
|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. |
|
||||
|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers in the network. |
|
||||
|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
|
||||
|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
|
||||
|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. |
|
||||
|
@ -1,78 +0,0 @@
|
||||
---
|
||||
title: Volume Activation for Windows 10
|
||||
description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 11/07/2022
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
---
|
||||
|
||||
# Volume Activation for Windows 10
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 8.1
|
||||
- Windows 8
|
||||
- Windows 7
|
||||
- Windows Server 2012 R2
|
||||
- Windows Server 2012
|
||||
- Windows Server 2008 R2
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for volume licensing information?
|
||||
>
|
||||
> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://www.microsoft.com/download/details.aspx?id=11091)
|
||||
|
||||
> [!TIP]
|
||||
> Are you looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/)
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
|
||||
|
||||
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
|
||||
|
||||
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Online](https://visualstudio.microsoft.com/msdn-platforms/).
|
||||
|
||||
Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
|
||||
|
||||
This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
|
||||
|
||||
Because most organizations won't immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it doesn't discuss the tools that are provided with earlier operating system versions.
|
||||
|
||||
Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
|
||||
|
||||
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide](/previous-versions/tn-archive/dd878528(v=technet.10)).
|
||||
|
||||
To successfully plan and implement a volume activation strategy, you must:
|
||||
|
||||
- Learn about and understand product activation.
|
||||
|
||||
- Review and evaluate the available activation types or models.
|
||||
|
||||
- Consider the connectivity of the clients to be activated.
|
||||
|
||||
- Choose the method or methods to be used with each type of client.
|
||||
|
||||
- Determine the types and number of product keys you'll need.
|
||||
|
||||
- Determine the monitoring and reporting needs in your organization.
|
||||
|
||||
- Install and configure the tools required to support the methods selected.
|
||||
|
||||
Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Plan for volume activation](plan-for-volume-activation-client.md)
|
||||
- [Activate using Key Management Service](activate-using-key-management-service-vamt.md)
|
||||
- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md)
|
||||
- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
|
||||
- [Monitor activation](monitor-activation-client.md)
|
||||
- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md)
|
||||
- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)
|
@ -0,0 +1,62 @@
|
||||
---
|
||||
title: Volume Activation for Windows
|
||||
description: Learn how to use volume activation to deploy & activate Windows.
|
||||
ms.reviewer: nganguly
|
||||
manager: aaroncz
|
||||
ms.author: frankroj
|
||||
ms.service: windows-client
|
||||
author: frankroj
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 03/29/2024
|
||||
ms.topic: article
|
||||
ms.subservice: itpro-fundamentals
|
||||
appliesto:
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
|
||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Volume Activation for Windows
|
||||
|
||||
> [!TIP]
|
||||
>
|
||||
> Looking for volume licensing information?
|
||||
>
|
||||
> - [Download the Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
|
||||
>
|
||||
> Looking for information on retail activation?
|
||||
>
|
||||
> - [Activate Windows](https://support.microsoft.com/help/12440/).
|
||||
> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
|
||||
|
||||
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows.
|
||||
|
||||
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Codespace](https://visualstudio.microsoft.com/msdn-platforms/).
|
||||
|
||||
Volume activation is a solution that automates and manages product activation on computers running Windows that are licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
|
||||
|
||||
This guide provides information and step-by-step guidance to help choose a volume activation method that suits an environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
|
||||
|
||||
The following items are needed to successfully plan and implement a volume activation strategy:
|
||||
|
||||
- Learn about and understand product activation.
|
||||
- Review and evaluate the available activation types or models.
|
||||
- Consider the connectivity of the clients to be activated.
|
||||
- Choose the method or methods to be used with each type of client.
|
||||
- Determine the types and number of product keys needed.
|
||||
- Determine the monitoring and reporting needs in the organization.
|
||||
- Install and configure the tools required to support the methods selected.
|
||||
|
||||
Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. Ensure that all software used in an organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
|
||||
|
||||
## Related content
|
||||
|
||||
- [Plan for volume activation](plan-for-volume-activation-client.md).
|
||||
- [Activate using Key Management Service](activate-using-key-management-service-vamt.md).
|
||||
- [Activate using Active Directory-based activation](activate-using-active-directory-based-activation-client.md).
|
||||
- [Activate clients running Windows](activate-windows-clients-vamt.md).
|
||||
- [Monitor activation](monitor-activation-client.md).
|
||||
- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md).
|
||||
- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md).
|
@ -61,6 +61,5 @@ If you currently use WDS with **boot.wim** from installation media for end-to-en
|
||||
|
||||
## Also see
|
||||
|
||||
[Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)<br>
|
||||
[Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
|
||||
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)<br>
|
||||
- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
|
||||
- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
|
||||
|
@ -22,10 +22,7 @@ This guide contains instructions to configure a proof of concept (PoC) environme
|
||||
> [!NOTE]
|
||||
> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab).
|
||||
|
||||
This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
|
||||
|
||||
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
|
||||
- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
|
||||
This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
|
||||
|
||||
The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
|
||||
|
||||
@ -1044,4 +1041,5 @@ Use the following procedures to verify that the PoC environment is configured pr
|
||||
|
||||
## Next steps
|
||||
|
||||
- [Windows 10 deployment scenarios](windows-deployment-scenarios.md).
|
||||
- [Windows 10 deployment scenarios](windows-deployment-scenarios.md)
|
||||
- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
|
||||
|
@ -80,10 +80,6 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
|
||||
- Device configuration
|
||||
- Office Click-to-run
|
||||
- Last Intune device check in completed within the last 28 days.
|
||||
- Devices must have Serial Number, Model and Manufacturer.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
|
||||
|
@ -7,7 +7,7 @@ author: frankroj
|
||||
ms.author: frankroj
|
||||
manager: aaroncz
|
||||
ms.topic: article
|
||||
ms.date: 03/13/2024
|
||||
ms.date: 03/28/2024
|
||||
ms.subservice: itpro-deploy
|
||||
zone_pivot_groups: windows-versions-11-10
|
||||
appliesto:
|
||||
@ -131,7 +131,7 @@ Once the **Language** pane is open, add the fonts associated with a language and
|
||||
|
||||
1. Drop down the menu below **Windows display language** to show all of the languages currently added to the device.
|
||||
|
||||
1. If the desired language isn't listed, add the fonts for the desired language by selecting the **+** button next to **Add a language**.
|
||||
1. If the desired language isn't listed, add the fonts for the desired language by selecting the **+** button next to **Add a language** in the **Preferred languages** section.
|
||||
|
||||
1. In the **Choose a language to install** window that opens:
|
||||
|
||||
@ -203,7 +203,7 @@ Once the **System > Optional features** pane is open, add a supplemental font wi
|
||||
|
||||
1. Once all of the desired supplemental fonts are selected, select the **Next** button.
|
||||
|
||||
1. Review the selected list of features and then select the **Install** button to add the selected features.
|
||||
1. Review the selected list of features and then select the **Add** button to add the selected features.
|
||||
|
||||
::: zone-end
|
||||
|
||||
@ -227,7 +227,7 @@ Once the **Optional features** pane is open, add a supplemental font with the fo
|
||||
|
||||
1. Find the desired supplemental font to add and then select the box next to the supplemental font to add it. Multiple supplemental fonts can be selected.
|
||||
|
||||
1. Once all of the desired supplemental fonts are selected, select the **Install** button.
|
||||
1. Once all of the desired supplemental fonts are selected, select the **Add** button.
|
||||
|
||||
::: zone-end
|
||||
|
||||
|
@ -5,36 +5,34 @@ ms.localizationpriority: medium
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
manager: aaroncz
|
||||
ms.date: 03/16/2023
|
||||
ms.date: 03/26/2024
|
||||
ms.topic: article
|
||||
appliesto:
|
||||
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>
|
||||
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>
|
||||
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>
|
||||
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>
|
||||
- ✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>
|
||||
---
|
||||
|
||||
# Windows Defender Application Control and virtualization-based protection of code integrity
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and higher
|
||||
|
||||
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
|
||||
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like kiosk devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
|
||||
|
||||
> [!NOTE]
|
||||
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
|
||||
|
||||
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
|
||||
|
||||
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
|
||||
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
|
||||
|
||||
1. The Windows kernel handles enforcement of WDAC policy and requires no other services or agents.
|
||||
2. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
|
||||
3. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows.
|
||||
4. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
|
||||
5. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution.
|
||||
1. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
|
||||
1. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows.
|
||||
1. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who manages to gain administrative privilege, to tamper with WDAC policy.
|
||||
1. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution.
|
||||
|
||||
There are no direct dependencies between WDAC and memory integrity. You can deploy them individually or together and there's no order in which they must be deployed.
|
||||
|
||||
Memory integrity relies on Windows virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet.
|
||||
Memory integrity relies on Windows Virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet.
|
||||
|
||||
WDAC has no specific hardware or software requirements.
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: How User Account Control works
|
||||
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
|
||||
ms.topic: concept-article
|
||||
ms.date: 05/24/2023
|
||||
ms.date: 03/26/2024
|
||||
---
|
||||
|
||||
# How User Account Control works
|
||||
@ -26,7 +26,7 @@ To better understand how this process works, let's take a closer look at the Win
|
||||
|
||||
The following diagram shows how the sign in process for an administrator differs from the sign in process for a standard user.
|
||||
|
||||
:::image type="content" source="images/uac-windows-logon-process.gif" alt-text="Diagram that describes the UAC Windows logon process.":::
|
||||
:::image type="content" source="images/uac-windows-logon-process.gif" alt-text="Diagram that describes the UAC Windows sign-in process.":::
|
||||
|
||||
By default, both standard and administrator users access resources and execute apps in the security context of a standard user.\
|
||||
When a user signs in, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
|
||||
@ -93,7 +93,7 @@ When an executable file requests elevation, the *interactive desktop*, also call
|
||||
> [!NOTE]
|
||||
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
|
||||
|
||||
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
|
||||
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt might be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
|
||||
|
||||
While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.
|
||||
|
||||
@ -109,34 +109,34 @@ To better understand each component, review the following tables:
|
||||
|
||||
|Component|Description|
|
||||
|--- |--- |
|
||||
|<p>User performs operation requiring privilege|<p>If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
|
||||
|<p>ShellExecute|<p>ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
|
||||
|<p>CreateProcess|<p>If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
|
||||
|User performs operation requiring privilege|If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.|
|
||||
|ShellExecute|ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.|
|
||||
|CreateProcess|If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.|
|
||||
|
||||
### System
|
||||
|
||||
|Component|Description|
|
||||
|--- |--- |
|
||||
|<p>Application Information service|<p>A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user may give consent.|
|
||||
|<p>Elevating an ActiveX install|<p>If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
|
||||
|<p>Check UAC slider level|<p>UAC has a slider to select from four levels of notification.<ul><li><p>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you often install new software or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul><p>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li><p>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li><p>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul><p>Not recommended due to security concerns.|
|
||||
|<p>Secure desktop enabled|<p>The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li><p>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li><p>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
|
||||
|<p>CreateProcess|<p>CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
|
||||
|<p>AppCompat|<p>The AppCompat database stores information in the application compatibility fix entries for an application.|
|
||||
|<p>Fusion|<p>The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
|
||||
|<p>Installer detection|<p>Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
|
||||
|Application Information service|A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required. Depending on the configured policies, the user might give consent.|
|
||||
|Elevating an ActiveX install|If ActiveX isn't installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.|
|
||||
|Check UAC slider level|UAC has a slider to select from four levels of notification.<ul><li>**Always notify** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you often install new software or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Freeze other tasks until you respond.</li></ul>Recommended if you don't often install apps or visit unfamiliar websites.<br></li><li>**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:<ul><li>Notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.<br></li><li>**Never notify (Disable UAC prompts)** will:<ul><li>Not notify you when programs try to install software or make changes to your computer.</li><li>Not notify you when you make changes to Windows settings.</li><li>Not freeze other tasks until you respond.</li></ul>Not recommended due to security concerns.|
|
||||
|Secure desktop enabled|The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked: <ul><li>If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.</li><li>If the secure desktop isn't enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.|
|
||||
|CreateProcess|CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest doesn't match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.|
|
||||
|AppCompat|The AppCompat database stores information in the application compatibility fix entries for an application.|
|
||||
|Fusion|The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.|
|
||||
|Installer detection|Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.|
|
||||
|
||||
### Kernel
|
||||
|
||||
|Component|Description|
|
||||
|--- |--- |
|
||||
|<p>Virtualization|<p>Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
|
||||
|<p>File system and registry|<p>The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
|
||||
|Virtualization|Virtualization technology ensures that noncompliant apps don't silently fail to run or fail in a way that the cause can't be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.|
|
||||
|File system and registry|The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.|
|
||||
|
||||
The slider never turns off UAC completely. If you set it to **Never notify**, it will:
|
||||
|
||||
- Keep the UAC service running
|
||||
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt
|
||||
- Cause all elevation request initiated by administrators to be autoapproved without showing a UAC prompt
|
||||
- Automatically deny all elevation requests for standard users
|
||||
|
||||
> [!IMPORTANT]
|
||||
@ -156,7 +156,7 @@ Most app tasks operate properly by using virtualization features. Although virtu
|
||||
Virtualization isn't an option in the following scenarios:
|
||||
|
||||
- Virtualization doesn't apply to apps that are elevated and run with a full administrative access token
|
||||
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
|
||||
- Virtualization supports only 32-bit apps. Nonelevated 64-bit apps receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations
|
||||
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute
|
||||
|
||||
### Request execution levels
|
||||
@ -178,11 +178,11 @@ Installer detection only applies to:
|
||||
Before a 32-bit process is created, the following attributes are checked to determine whether it's an installer:
|
||||
|
||||
- The file name includes keywords such as "install," "setup," or "update."
|
||||
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name
|
||||
- Keywords in the side-by-side manifest are embedded in the executable file
|
||||
- Keywords in specific StringTable entries are linked in the executable file
|
||||
- Key attributes in the resource script data are linked in the executable file
|
||||
- There are targeted sequences of bytes within the executable file
|
||||
- Versioning Resource fields contain the following keywords: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name.
|
||||
- Keywords in the side-by-side manifest are embedded in the executable file.
|
||||
- Keywords in specific StringTable entries are linked in the executable file.
|
||||
- Key attributes in the resource script data are linked in the executable file.
|
||||
- There are targeted sequences of bytes within the executable file.
|
||||
|
||||
> [!NOTE]
|
||||
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
|
||||
|
@ -2,19 +2,20 @@
|
||||
title: User Account Control
|
||||
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
|
||||
ms.topic: overview
|
||||
ms.date: 05/24/2023
|
||||
ms.date: 03/26/2024
|
||||
---
|
||||
|
||||
# User Account Control overview
|
||||
|
||||
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that may affect the stability and security of their device.
|
||||
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change. UAC improves the security of Windows devices by limiting the access that malicious code has to execute with administrator privileges. UAC empowers users to make informed decisions about actions that might affect the stability and security of their device.
|
||||
|
||||
Unless you disable UAC, malicious software is prevented from disabling or interfering with UAC settings. UAC is enabled by default, and you can configure it if you have administrative privileges.
|
||||
|
||||
## Benefits of UAC
|
||||
|
||||
UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.\
|
||||
Other applications, like ones that aren't designed with security settings in mind, may require more permissions to run successfully. These applications are referred to as *legacy apps*.
|
||||
UAC allows all users to sign in their devices using a *standard user account*. Processes launched using a *standard user token* might perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Any applications that are started using Windows Explorer (for example, by opening a shortcut) also run with the standard set of user permissions. Most applications, including the ones included with the operating system, are designed to work properly this way.
|
||||
|
||||
Other applications, like ones that aren't designed with security settings in mind, might require more permissions to run successfully. These applications are referred to as *legacy apps*.
|
||||
|
||||
When a user tries to perform an action that requires administrative privileges, UAC triggers a *consent prompt*. The prompt notifies the user that a change is about to occur, asking for their permission to proceed:
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: User Account Control settings and configuration
|
||||
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
|
||||
ms.date: 07/31/2023
|
||||
description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy, and registry.
|
||||
ms.date: 03/26/2024
|
||||
ms.topic: how-to
|
||||
---
|
||||
|
||||
@ -20,7 +20,7 @@ The following table lists the available settings to configure the UAC behavior,
|
||||
|Detect application installations and prompt for elevation|Controls the behavior of application installation detection for the computer.<br><br>**Enabled (default)**: When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Disabled**: App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Microsoft Intune, should disable this policy setting. In this case, installer detection is unnecessary. |
|
||||
|Only elevate executables that are signed and validated|Enforces signature checks for any interactive applications that request elevation of privilege. IT admins can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local devices.<br><br>**Enabled**: Enforces the certificate certification path validation for a given executable file before it's permitted to run.<br>**Disabled (default)**: Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.|
|
||||
|Only elevate UIAccess applications that are installed in secure locations|Controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders:<br>- `%ProgramFiles%`, including subfolders<br>- `%SystemRoot%\system32\`<br>- `%ProgramFiles(x86)%`, including subfolders<br><br><br>**Enabled (default)**: If an app resides in a secure location in the file system, it runs only with UIAccess integrity.<br>**Disabled**: An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.<br><br>**Note:** Windows enforces a digital signature check on any interactive apps that requests to run with a UIAccess integrity level regardless of the state of this setting.|
|
||||
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
|
||||
|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system is reduced.|
|
||||
|Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
|
||||
|Virtualize File And Registry Write Failures To Per User Locations|Controls whether application write failures are redirected to defined registry and file system locations. This setting mitigates applications that run as administrator and write run-time application data to `%ProgramFiles%`, `%Windir%`, `%Windir%\system32`, or `HKLM\Software`.<br><br>**Enabled (default)**: App write failures are redirected at run time to defined user locations for both the file system and registry.<br>**Disabled**: Apps that write data to protected locations fail.|
|
||||
|
||||
@ -67,18 +67,18 @@ You can use security policies to configure how User Account Control works in you
|
||||
|
||||
The policy settings are located under: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options`.
|
||||
|
||||
| Group Policy setting |Default value|
|
||||
| - | - |
|
||||
|User Account Control: Admin Approval Mode for the built-in Administrator account| Disabled |
|
||||
|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop| Disabled |
|
||||
|User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode| Prompt for consent for non-Windows binaries |
|
||||
|User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|
||||
|User Account Control: Detect application installations and prompt for elevation| Enabled (default for home edition only)<br />Disabled (default) |
|
||||
|User Account Control: Only elevate executables that are signed and validated| Disabled |
|
||||
|User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|
||||
|User Account Control: Run all administrators in Admin Approval Mode| Enabled |
|
||||
|User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|
||||
|User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
|
||||
| Group Policy setting | Default value |
|
||||
|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
|
||||
| User Account Control: Admin Approval Mode for the built-in Administrator account | Disabled |
|
||||
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
|
||||
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows binaries |
|
||||
| User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials |
|
||||
| User Account Control: Detect application installations and prompt for elevation | Enabled (default for home edition only)<br />Disabled (default) |
|
||||
| User Account Control: Only elevate executables that are signed and validated | Disabled |
|
||||
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
|
||||
| User Account Control: Run all administrators in Admin Approval Mode | Enabled |
|
||||
| User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
|
||||
| User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
|
||||
|
||||
#### [:::image type="icon" source="../../../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
|
||||
|
||||
|
@ -40,3 +40,6 @@ Starting with Windows 10, the Application Identity service is now a protected pr
|
||||
```
|
||||
|
||||
- Create a security template that configures appidsvc to be automatic start, and apply it using secedit.exe or LGPO.exe.
|
||||
|
||||
> [!NOTE]
|
||||
> The Startup type of the Application Identity service cannot be set to Manual using sc.exe. Therefore, we recommend to perform a system backup before changing it.
|
||||
|
@ -11,7 +11,7 @@ ms.date: 12/01/2022
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
|
||||
|
||||
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
|
||||
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
|
||||
|
||||
If you have an internal CA, complete these steps to create a code signing certificate.
|
||||
|
||||
@ -20,7 +20,7 @@ If you have an internal CA, complete these steps to create a code signing certif
|
||||
>
|
||||
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
|
||||
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
|
||||
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
|
||||
> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA256.
|
||||
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
|
||||
|
||||
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
|
||||
|
@ -75,7 +75,7 @@ When finished, the tool saves the files to your desktop. You can view the `*.cdf
|
||||
|
||||
## Sign your catalog file
|
||||
|
||||
Now that you've created a catalog file for your app, you're ready to sign it.
|
||||
Now that you've created a catalog file for your app, you're ready to sign it. We recommend using [Microsoft's Trusted Signing service](/azure/trusted-signing/) for catalog signing. Optionally, you can manually sign the catalog using Signtool using the following instructions.
|
||||
|
||||
### Catalog signing with SignTool.exe
|
||||
|
||||
@ -336,13 +336,16 @@ Some of the known issues using Package Inspector to build a catalog file are:
|
||||
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:<br>
|
||||
`fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
|
||||
- The above command should return an error if the older USNs don't exist anymore due to overflow
|
||||
- You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help
|
||||
- You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help.
|
||||
|
||||
- **CodeIntegrity - Operational event log is too small to track all files created by the installer**
|
||||
- To diagnose whether Eventlog size is the issue, after running through Package Inspector:
|
||||
- Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch.
|
||||
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values
|
||||
- To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values.
|
||||
|
||||
- **Installer or app files that change hash each time the app is installed or run**
|
||||
- Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package doesn't work with Package Inspector.
|
||||
|
||||
- **Files with an invalid signature blob or otherwise "unhashable" files**
|
||||
- This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec.
|
||||
- Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your policy that uses the file's flat file hash.
|
||||
|
@ -38,6 +38,6 @@ For more information on using signed policies, see [Use signed policies to prote
|
||||
|
||||
Some ways to obtain code signing certificates for your own use, include:
|
||||
|
||||
- Use Microsoft's [Trusted Signing service](/azure/trusted-signing/).
|
||||
- Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
|
||||
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
|
||||
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Windows Sandbox architecture
|
||||
description: Windows Sandbox architecture
|
||||
ms.topic: article
|
||||
ms.date: 05/25/2023
|
||||
ms.date: 03/26/2024
|
||||
---
|
||||
|
||||
# Windows Sandbox architecture
|
||||
@ -15,7 +15,7 @@ Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Ba
|
||||
|
||||
Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows.
|
||||
|
||||
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
|
||||
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once installed, the dynamic base image occupies about 500 MB of disk space.
|
||||
|
||||

|
||||
|
||||
@ -27,7 +27,7 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
|
||||
|
||||
## Memory sharing
|
||||
|
||||
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
|
||||
Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
|
||||
|
||||

|
||||
|
||||
@ -37,7 +37,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling
|
||||
|
||||

|
||||
|
||||
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container.
|
||||
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
|
||||
|
||||
## WDDM GPU virtualization
|
||||
|
||||
@ -47,7 +47,7 @@ This feature allows programs running inside the sandbox to compete for GPU resou
|
||||
|
||||

|
||||
|
||||
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
|
||||
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
|
||||
|
||||
## Battery pass-through
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Windows Sandbox configuration
|
||||
description: Windows Sandbox configuration
|
||||
ms.topic: article
|
||||
ms.date: 05/25/2023
|
||||
ms.date: 03/26/2024
|
||||
---
|
||||
|
||||
# Windows Sandbox configuration
|
||||
@ -11,13 +11,13 @@ Windows Sandbox supports simple configuration files, which provide a minimal set
|
||||
|
||||
A configuration file enables the user to control the following aspects of Windows Sandbox:
|
||||
|
||||
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
|
||||
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP).
|
||||
- **Networking**: Enable or disable network access within the sandbox.
|
||||
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories may allow malicious software to affect the system or steal data.
|
||||
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data.
|
||||
- **Logon command**: A command that's executed when Windows Sandbox starts.
|
||||
- **Audio input**: Shares the host's microphone input into the sandbox.
|
||||
- **Video input**: Shares the host's webcam input into the sandbox.
|
||||
- **Protected client**: Places increased security settings on the RDP session to the sandbox.
|
||||
- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox.
|
||||
- **Printer redirection**: Shares printers from the host into the sandbox.
|
||||
- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
|
||||
- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
|
||||
@ -37,7 +37,7 @@ To create a configuration file:
|
||||
</Configuration>
|
||||
```
|
||||
|
||||
3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below.
|
||||
3. Add appropriate configuration text between the two lines. For details, see [examples](#examples).
|
||||
4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
|
||||
|
||||
## Using a configuration file
|
||||
@ -59,7 +59,7 @@ Enables or disables GPU sharing.
|
||||
Supported values:
|
||||
|
||||
- *Enable*: Enables vGPU support in the sandbox.
|
||||
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
|
||||
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
|
||||
- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled.
|
||||
|
||||
> [!NOTE]
|
||||
@ -82,7 +82,7 @@ Supported values:
|
||||
|
||||
### Mapped folders
|
||||
|
||||
An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop.
|
||||
An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop.
|
||||
|
||||
```xml
|
||||
<MappedFolders>
|
||||
@ -97,11 +97,9 @@ An array of folders, each representing a location on the host machine that will
|
||||
</MappedFolders>
|
||||
```
|
||||
|
||||
*HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container will fail to start.
|
||||
|
||||
*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
|
||||
|
||||
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
|
||||
- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start.
|
||||
- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop.
|
||||
- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
|
||||
|
||||
> [!NOTE]
|
||||
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
|
||||
@ -129,7 +127,7 @@ Enables or disables audio input to the sandbox.
|
||||
|
||||
Supported values:
|
||||
|
||||
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
|
||||
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability.
|
||||
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
|
||||
- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
|
||||
|
||||
@ -189,7 +187,7 @@ Enables or disables sharing of the host clipboard with the sandbox.
|
||||
Supported values:
|
||||
|
||||
- *Enable*: Enables sharing of the host clipboard with the sandbox.
|
||||
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
|
||||
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted.
|
||||
- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
|
||||
|
||||
### Memory in MB
|
||||
@ -198,13 +196,15 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
|
||||
|
||||
`<MemoryInMB>value</MemoryInMB>`
|
||||
|
||||
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
|
||||
If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount.
|
||||
|
||||
## Example 1
|
||||
## Examples
|
||||
|
||||
### Example 1
|
||||
|
||||
The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
|
||||
|
||||
### Downloads.wsb
|
||||
#### Downloads.wsb
|
||||
|
||||
```xml
|
||||
<Configuration>
|
||||
@ -223,17 +223,17 @@ The following config file can be used to easily test the downloaded files inside
|
||||
</Configuration>
|
||||
```
|
||||
|
||||
## Example 2
|
||||
### Example 2
|
||||
|
||||
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
|
||||
|
||||
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
|
||||
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
|
||||
|
||||
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
|
||||
|
||||
### VSCodeInstall.cmd
|
||||
#### VSCodeInstall.cmd
|
||||
|
||||
Download vscode to `downloads` folder and run from `downloads` folder.
|
||||
Downloads VS Code to `downloads` folder and runs installation from `downloads` folder.
|
||||
|
||||
```batch
|
||||
REM Download Visual Studio Code
|
||||
@ -243,7 +243,7 @@ REM Install and run Visual Studio Code
|
||||
C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
|
||||
```
|
||||
|
||||
### VSCode.wsb
|
||||
#### VSCode.wsb
|
||||
|
||||
```xml
|
||||
<Configuration>
|
||||
@ -265,15 +265,15 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
|
||||
</Configuration>
|
||||
```
|
||||
|
||||
## Example 3
|
||||
### Example 3
|
||||
|
||||
The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
|
||||
|
||||
`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
|
||||
|
||||
### SwapMouse.ps1
|
||||
#### SwapMouse.ps1
|
||||
|
||||
Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
|
||||
Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
|
||||
|
||||
```powershell
|
||||
[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
|
||||
|
@ -2,20 +2,20 @@
|
||||
title: Windows Sandbox
|
||||
description: Windows Sandbox overview
|
||||
ms.topic: article
|
||||
ms.date: 05/25/2023
|
||||
ms.date: 03/26/2024
|
||||
---
|
||||
|
||||
# Windows Sandbox
|
||||
|
||||
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
|
||||
|
||||
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
|
||||
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
|
||||
|
||||
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
|
||||
|
||||
Windows Sandbox has the following properties:
|
||||
|
||||
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
|
||||
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD).
|
||||
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
|
||||
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
|
||||
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
|
||||
@ -70,9 +70,6 @@ Windows Sandbox has the following properties:
|
||||
## Usage
|
||||
|
||||
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
|
||||
|
||||
2. Run the executable file or installer inside the sandbox.
|
||||
|
||||
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**.
|
||||
|
||||
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Enable memory integrity
|
||||
description: This article explains the steps to opt in to using memory integrity on Windows devices.
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/16/2023
|
||||
ms.date: 03/26/2024
|
||||
appliesto:
|
||||
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
|
||||
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
|
||||
@ -13,17 +13,16 @@ appliesto:
|
||||
|
||||
# Enable virtualization-based protection of code integrity
|
||||
|
||||
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
|
||||
**Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
|
||||
|
||||
> [!NOTE]
|
||||
> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
|
||||
>
|
||||
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
|
||||
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
|
||||
|
||||
> [!WARNING]
|
||||
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
|
||||
|
||||
> [!NOTE]
|
||||
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
|
||||
|
||||
## Memory integrity features
|
||||
|
||||
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
|
||||
@ -47,30 +46,23 @@ Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory i
|
||||
|
||||
### Enable memory integrity using Intune
|
||||
|
||||
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
|
||||
Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
|
||||
|
||||
### Enable memory integrity using Group Policy
|
||||
|
||||
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
|
||||
|
||||
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
|
||||
|
||||
3. Double-click **Turn on Virtualization Based Security**.
|
||||
|
||||
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
|
||||
|
||||
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
|
||||
1. Double-click **Turn on Virtualization Based Security**.
|
||||
1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
|
||||

|
||||
1. Select **Ok** to close the editor.
|
||||
|
||||
5. Select **Ok** to close the editor.
|
||||
|
||||
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
|
||||
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
|
||||
|
||||
### Use registry keys to enable memory integrity
|
||||
|
||||
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
|
||||
|
||||
<!--This comment ensures that the Important above and the Warning below don't merge together. -->
|
||||
|
||||
> [!IMPORTANT]
|
||||
>
|
||||
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
|
||||
@ -79,19 +71,13 @@ Set the following registry keys to enable memory integrity. These keys provide e
|
||||
>
|
||||
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
|
||||
|
||||
#### For Windows 10 version 1607 and later and for Windows 11 version 21H2
|
||||
|
||||
Recommended settings (to enable memory integrity without UEFI Lock):
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
```
|
||||
|
||||
@ -155,52 +141,6 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\Hyperviso
|
||||
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
|
||||
```
|
||||
|
||||
#### For Windows 10 version 1511 and earlier
|
||||
|
||||
Recommended settings (to enable memory integrity, without UEFI Lock):
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
|
||||
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
|
||||
```
|
||||
|
||||
If you want to customize the preceding recommended settings, use the following settings.
|
||||
|
||||
**To enable VBS (it is always locked to UEFI)**
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
```
|
||||
|
||||
**To enable VBS and require Secure boot only (value 1)**
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
```
|
||||
|
||||
**To enable VBS with Secure Boot and DMA (value 3)**
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
|
||||
```
|
||||
|
||||
**To enable memory integrity (with the default, UEFI lock)**
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
|
||||
```
|
||||
|
||||
**To enable memory integrity without UEFI lock**
|
||||
|
||||
```console
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
|
||||
```
|
||||
|
||||
### Enable memory integrity using Windows Defender Application Control (WDAC)
|
||||
|
||||
You can use WDAC policy to turn on memory integrity using any of the following techniques:
|
||||
@ -214,10 +154,12 @@ You can use WDAC policy to turn on memory integrity using any of the following t
|
||||
|
||||
### Validate enabled VBS and memory integrity features
|
||||
|
||||
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
|
||||
#### Use Win32_DeviceGuard WMI class
|
||||
|
||||
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: **Win32_DeviceGuard**. This class can be queried from an elevated Windows PowerShell session by using the following command:
|
||||
|
||||
```powershell
|
||||
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
|
||||
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
@ -225,90 +167,92 @@ Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windo
|
||||
|
||||
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
|
||||
|
||||
#### AvailableSecurityProperties
|
||||
##### AvailableSecurityProperties
|
||||
|
||||
This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
|
||||
|
||||
Value | Description
|
||||
-|-
|
||||
**0.** | If present, no relevant properties exist on the device.
|
||||
**1.** | If present, hypervisor support is available.
|
||||
**2.** | If present, Secure Boot is available.
|
||||
**3.** | If present, DMA protection is available.
|
||||
**4.** | If present, Secure Memory Overwrite is available.
|
||||
**5.** | If present, NX protections are available.
|
||||
**6.** | If present, SMM mitigations are available.
|
||||
**7.** | If present, MBEC/GMET is available.
|
||||
**8.** | If present, APIC virtualization is available.
|
||||
| Value | Description |
|
||||
|-------|---------------------------------------------------------|
|
||||
| **0** | If present, no relevant properties exist on the device. |
|
||||
| **1** | If present, hypervisor support is available. |
|
||||
| **2** | If present, Secure Boot is available. |
|
||||
| **3** | If present, DMA protection is available. |
|
||||
| **4** | If present, Secure Memory Overwrite is available. |
|
||||
| **5** | If present, NX protections are available. |
|
||||
| **6** | If present, SMM mitigations are available. |
|
||||
| **7** | If present, MBEC/GMET is available. |
|
||||
| **8** | If present, APIC virtualization is available. |
|
||||
|
||||
#### InstanceIdentifier
|
||||
##### InstanceIdentifier
|
||||
|
||||
A string that is unique to a particular device and set by WMI.
|
||||
|
||||
#### RequiredSecurityProperties
|
||||
##### RequiredSecurityProperties
|
||||
|
||||
This field describes the required security properties to enable VBS.
|
||||
|
||||
Value | Description
|
||||
-|-
|
||||
**0.** | Nothing is required.
|
||||
**1.** | If present, hypervisor support is needed.
|
||||
**2.** | If present, Secure Boot is needed.
|
||||
**3.** | If present, DMA protection is needed.
|
||||
**4.** | If present, Secure Memory Overwrite is needed.
|
||||
**5.** | If present, NX protections are needed.
|
||||
**6.** | If present, SMM mitigations are needed.
|
||||
**7.** | If present, MBEC/GMET is needed.
|
||||
| Value | Description |
|
||||
|-------|------------------------------------------------|
|
||||
| **0** | Nothing is required. |
|
||||
| **1** | If present, hypervisor support is needed. |
|
||||
| **2** | If present, Secure Boot is needed. |
|
||||
| **3** | If present, DMA protection is needed. |
|
||||
| **4** | If present, Secure Memory Overwrite is needed. |
|
||||
| **5** | If present, NX protections are needed. |
|
||||
| **6** | If present, SMM mitigations are needed. |
|
||||
| **7** | If present, MBEC/GMET is needed. |
|
||||
|
||||
#### SecurityServicesConfigured
|
||||
##### SecurityServicesConfigured
|
||||
|
||||
This field indicates whether Credential Guard or memory integrity has been configured.
|
||||
This field indicates whether Credential Guard or memory integrity is configured.
|
||||
|
||||
Value | Description
|
||||
-|-
|
||||
**0.** | No services are configured.
|
||||
**1.** | If present, Credential Guard is configured.
|
||||
**2.** | If present, memory integrity is configured.
|
||||
**3.** | If present, System Guard Secure Launch is configured.
|
||||
**4.** | If present, SMM Firmware Measurement is configured.
|
||||
| Value | Description |
|
||||
|-------|-------------------------------------------------------|
|
||||
| **0** | No services are configured. |
|
||||
| **1** | If present, Credential Guard is configured. |
|
||||
| **2** | If present, memory integrity is configured. |
|
||||
| **3** | If present, System Guard Secure Launch is configured. |
|
||||
| **4** | If present, SMM Firmware Measurement is configured. |
|
||||
|
||||
#### SecurityServicesRunning
|
||||
##### SecurityServicesRunning
|
||||
|
||||
This field indicates whether Credential Guard or memory integrity is running.
|
||||
|
||||
Value | Description
|
||||
-|-
|
||||
**0.** | No services running.
|
||||
**1.** | If present, Credential Guard is running.
|
||||
**2.** | If present, memory integrity is running.
|
||||
**3.** | If present, System Guard Secure Launch is running.
|
||||
**4.** | If present, SMM Firmware Measurement is running.
|
||||
| Value | Description |
|
||||
|-------|----------------------------------------------------|
|
||||
| **0** | No services running. |
|
||||
| **1** | If present, Credential Guard is running. |
|
||||
| **2** | If present, memory integrity is running. |
|
||||
| **3** | If present, System Guard Secure Launch is running. |
|
||||
| **4** | If present, SMM Firmware Measurement is running. |
|
||||
|
||||
#### Version
|
||||
##### Version
|
||||
|
||||
This field lists the version of this WMI class. The only valid value now is **1.0**.
|
||||
|
||||
#### VirtualizationBasedSecurityStatus
|
||||
##### VirtualizationBasedSecurityStatus
|
||||
|
||||
This field indicates whether VBS is enabled and running.
|
||||
|
||||
Value | Description
|
||||
-|-
|
||||
**0.** | VBS isn't enabled.
|
||||
**1.** | VBS is enabled but not running.
|
||||
**2.** | VBS is enabled and running.
|
||||
| Value | Description |
|
||||
|-------|---------------------------------|
|
||||
| **0** | VBS isn't enabled. |
|
||||
| **1** | VBS is enabled but not running. |
|
||||
| **2** | VBS is enabled and running. |
|
||||
|
||||
#### PSComputerName
|
||||
##### PSComputerName
|
||||
|
||||
This field lists the computer name. All valid values for computer name.
|
||||
|
||||
#### Use msinfo32.exe
|
||||
|
||||
Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section.
|
||||
|
||||
:::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png":::
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
- If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
|
||||
- If a device driver fails to load or crashes at runtime, you might be able to update the driver using **Device Manager**.
|
||||
- If you experience a critical error during boot or your system is unstable after turning on memory integrity, you can recover using the Windows Recovery Environment (Windows RE).
|
||||
1. First, disable any policies that are used to enable VBS and memory integrity, for example Group Policy.
|
||||
2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference).
|
||||
@ -338,5 +282,5 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
|
||||
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
|
||||
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
|
||||
- Memory integrity and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment.
|
||||
- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
|
||||
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
|
||||
- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of Virtualization-based security using `Set-VMSecurity`.
|
||||
- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of Virtualization-based security using `Set-VMSecurity`.
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 82 KiB After Width: | Height: | Size: 13 KiB |
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Resources for deprecated features in the Windows client
|
||||
description: Resources and details for deprecated features in the Windows client.
|
||||
ms.date: 10/09/2023
|
||||
ms.date: 03/25/2024
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.localizationpriority: medium
|
||||
@ -21,6 +21,16 @@ appliesto:
|
||||
|
||||
This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
|
||||
|
||||
## WordPad
|
||||
|
||||
WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. As a result, Windows will no longer have a built-in, default RTF reader. We recommend Microsoft Word for rich text documents like .doc and .rtf and Notepad for plain text documents like .txt. The following binaries will be removed as a result of WordPad removal:
|
||||
|
||||
- wordpad.exe
|
||||
- wordpadfilter.dll
|
||||
- write.exe
|
||||
|
||||
Avoid taking a direct dependency on these binaries and Wordpad in your product. Instead, for trying to open a text file, rely on Microsoft Word or Notepad.
|
||||
|
||||
## VBScript
|
||||
|
||||
VBScript will be available as a [feature on demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) before being retired in future Windows releases. Initially, the VBScript feature on demand will be preinstalled to allow for uninterrupted use while you prepare for the retirement of VBScript.
|
||||
|
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Deprecated features in the Windows client
|
||||
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
|
||||
ms.date: 03/14/2024
|
||||
ms.date: 03/25/2024
|
||||
ms.service: windows-client
|
||||
ms.subservice: itpro-fundamentals
|
||||
ms.localizationpriority: medium
|
||||
@ -19,13 +19,13 @@ appliesto:
|
||||
|
||||
# Deprecated features for Windows client
|
||||
|
||||
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client.<!-- this sentence is used by tip for RSS --> For more information about features that have been removed, see [Windows features removed](removed-features.md).
|
||||
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client.<!-- this sentence is used by tip for RSS --> For more information about features that were removed, see [Windows features removed](removed-features.md).
|
||||
|
||||
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
|
||||
|
||||
To understand the distinction between *deprecation* and *removal*, see [Windows client features lifecycle](feature-lifecycle.md).
|
||||
|
||||
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
|
||||
The features in this article are no longer being actively developed, and might be removed in a future update. Some features were replaced with other features or functionality and some are now available from other sources.
|
||||
|
||||
> [!TIP]
|
||||
> You can use RSS to be notified when this page is updated.<!-- 8590853 --> For example, the following RSS link includes this article:
|
||||
@ -47,6 +47,7 @@ The features in this article are no longer being actively developed, and might b
|
||||
|
||||
| Feature | Details and mitigation | Deprecation announced |
|
||||
|---|---|---|
|
||||
| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a users password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
|
||||
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
|
||||
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
|
||||
| Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
|
||||
@ -61,13 +62,13 @@ The features in this article are no longer being actively developed, and might b
|
||||
| Remote Mailslots <!--8454244-->| Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
|
||||
| Timeline for Microsoft Entra accounts <!--8396095--> | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
|
||||
| VBScript <!--7954828--> | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
|
||||
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
|
||||
| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
|
||||
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. </br></br> **[Update - March 2024]**: WordPad will be removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025. If you're a developer and need information about the affected binaries, see [Resources for deprecated features](deprecated-features-resources.md#wordpad). | September 1, 2023 |
|
||||
| AllJoyn | Microsoft's implementation of AllJoyn, which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) is deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
|
||||
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
|
||||
| Cortana in Windows <!--7987543--> | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
|
||||
| Microsoft Support Diagnostic Tool (MSDT) <!--6968128--> | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
|
||||
| Universal Windows Platform (UWP) Applications for 32-bit Arm <!--7116112-->| This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**.</br> </br> Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
|
||||
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
|
||||
| Update Compliance <!--7260188-->| [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
|
||||
| Windows Information Protection <!-- 6010051 --> | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).<br> <br>For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
|
||||
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**<br>Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
|
||||
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
|
||||
@ -85,7 +86,7 @@ The features in this article are no longer being actively developed, and might b
|
||||
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
|
||||
| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
|
||||
|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|
||||
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|
||||
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|
||||
|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|
||||
|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|
||||
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 |
|
||||
@ -99,7 +100,7 @@ The features in this article are no longer being actively developed, and might b
|
||||
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|
||||
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|
||||
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
|
||||
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 |
|
||||
|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: </br> - Windows 11 </br> - Windows 10, version 21H2, or later | 1709 |
|
||||
|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|
||||
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|
||||
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|
||||
@ -112,7 +113,7 @@ The features in this article are no longer being actively developed, and might b
|
||||
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|
||||
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|
||||
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |
|
||||
|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
|
||||
|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update is deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
|
||||
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user