**Example**
<emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|<docMode>|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
**Example**
<docMode>
<domain exclude="false">fabrikam.com
<path docMode="7">/products</path>
</domain>
</docMode>|Internet Explorer 11| ### Using Enterprise Mode and document mode together If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md index 70694a3df2..fcdaa18eee 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l ### Updated schema elements This table includes the elements used by the v.2 version of the Enterprise Mode schema. -
| Element | -Description | -Supported browser | -
|---|---|---|
| <site-list> | -A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
- Example - -<site-list version="205"> - <site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> - </site> -</site-list> |
-Internet Explorer 11 and Microsoft Edge | -
| <site> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
- Example - -<site url="contoso.com"> - <compat-mode>default</compat-mode> - <open-in>none</open-in> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -You can also use the self-closing version, <url="contoso.com" />, which also sets: -
|
-Internet Explorer 11 and Microsoft Edge | -
| <compat-mode> | -A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- Example - -<site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -Where: -
- - - |
-Internet Explorer 11 | -
| <open-in> | -A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
- Example - -<site url="contoso.com"> - <open-in>none</open-in> -</site> -Where: -
- - |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site-list version="205">| Internet Explorer 11 and Microsoft Edge | +|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example**
<site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
- <compat-mode>default</compat-mode>
- <open-in>none</open-in> | Internet Explorer 11 and Microsoft Edge | +|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
Where
- **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode**Important**
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - **IE[x]**. Where [x] is the document mode number into which the site loads.
- **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. |Internet Explorer 11 | +|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
**Examples**
<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. | Internet Explorer 11 and Microsoft Edge | ### Updated schema attributes The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. -
- <compat-mode>default</compat-mode> -
- <open-in>none</open-in> -
- IE8Enterprise. Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - IE7Enterprise. Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.Important
This tag replaces the combination of the"forceCompatView"="true"attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - IE[x]. Where [x] is the document mode number into which the site loads.
- Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. -
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. -
- <compat-mode>default</compat-mode>
- <open-in>none</open-in> | Internet Explorer 11 and Microsoft Edge | +|<compat-mode> |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- **IE8Enterprise.** Loads the site in IE8 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode. - **IE7Enterprise.** Loads the site in IE7 Enterprise Mode.
This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode**Important**
This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema. - **IE[x]**. Where [x] is the document mode number into which the site loads.
- **Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored. |Internet Explorer 11 | +|<open-in> |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.
- IE11. Opens the site in IE11, regardless of which browser is opened by the employee.
- MSEdge. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- None or not specified. Opens in whatever browser the employee chooses. | Internet Explorer 11 and Microsoft Edge | ### Updated schema attributes The <url> attribute, as part of the <site> element in the v.2 version of the schema, replaces the <domain> element from the v.1 version of the schema. -
- | Internet Explorer 11 and Microsoft Edge|
+|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge|
+|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com).
**Example**<site url="contoso.com:8080">
In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge| ### Deprecated attributes These v.1 version schema attributes have been deprecated in the v.2 version of the schema: -
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>- -
+|Deprecated attribute|New attribute|Replacement example| +|--- |--- |--- | +|forceCompatView|<compat-mode>|Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>| +|docMode|<compat-mode>|Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>| +|doNotTransition|<open-in>|Replace:- - - -Deprecated element/attribute -New element -Replacement example -- -forceCompatView -<compat-mode> -Replace forceCompatView="true" with <compat-mode>IE7Enterprise</compat-mode> -- -docMode -<compat-mode> -Replace docMode="IE5" with <compat-mode>IE5</compat-mode> -- -doNotTransition -<open-in> -Replace doNotTransition="true" with <open-in>none</open-in> -- -<domain> and <path> -<site> -Replace: - --<emie> - <domain>contoso.com</domain> -</emie>
-With: --<site url="contoso.com"/> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>
--AND--Replace: -
-<emie> - <domain exclude="true" doNotTransition="true"> - contoso.com - <path forceCompatView="true">/about</path> - </domain> -</emie>
-With: --<site url="contoso.com/about"> - <compat-mode>IE7Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>
<doNotTransition="true"> with <open-in>none</open-in>| +|<domain> and <path>|<site>|Replace:<emie>
With:
<domain>contoso.com</domain>
</emie><site url="contoso.com"/>
**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
Replace:<emie>
<domain exclude="true" donotTransition="true">contoso.com
<path forceCompatView="true">/about</path>
</domain>
</emie>
With:<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>| While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 2fb2324ddc..66569c4674 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -126,96 +126,23 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con Table 2. Settings in the Device Management node in the Google Admin Console --
- - +|Section |Settings | +|---------|---------| +|Network |- - -- - - - - -Section -Settings -- -Network -These settings configure the network connections for Chromebook devices and include the following settings categories:
--
-
Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
-Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
-VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
-Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.
-
- -Mobile -These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
--
-
Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
-Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
-Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
-Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
-Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.
-
- - -Chrome management -These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
--
-
User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
-Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
-Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
-App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
-
These settings configure the network connections for Chromebook devices and include the following settings categories:
- **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.
- **Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.
- **VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.
- **Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network. |
+|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
- **Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.
- **Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.
- **Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.
- **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.
- **Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. |
+|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
- **User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
- **Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
- **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
- **Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices
- **App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. |
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
-
-
- - +|Section|Settings| +|--- |--- | +|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.- - -- - - - - -Section -Settings -- -Basic settings
These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.
-Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.
- -Password monitoring
This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.
- -API reference
This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.
- -Set up single sign-on (SSO)
This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.
- - -Advanced settings
This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.
Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.| +|Password monitoring|This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.| +|API reference|This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.| +|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.| +|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.| **Identify locally-configured settings to migrate** @@ -428,62 +355,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis Table 5. Select on-premises AD DS, Azure AD, or hybrid --
- - +|If you plan to...|On-premises AD DS|Azure AD|Hybrid| +|--- |--- |--- |--- | +|Use Office 365||✔️|✔️| +|Use Intune for management||✔️|✔️| +|Use Microsoft Endpoint Manager for management|✔️||✔️| +|Use Group Policy for management|✔️||✔️| +|Have devices that are domain-joined|✔️||✔️| +|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️| ### @@ -497,113 +376,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro Table 6. Device, user, and app management products and technologies -- - -- - - - - - - -If you plan to... -On-premises AD DS -Azure AD -Hybrid -- -Use Office 365 -- X -X -- -Use Intune for management -- X -X -- -Use Microsoft Endpoint Manager for management -X -- X -- -Use Group Policy for management -X -- X -- -Have devices that are domain-joined -X -- X -- - -Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined -- X -X --
- - +|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services| +|--- |--- |--- |--- |--- |--- |--- | +|Deploy operating system images|✔️||✔️||✔️|| +|Deploy apps during operating system deployment|✔️||✔️||✔️|| +|Deploy apps after operating system deployment|✔️|✔️|✔️|||| +|Deploy software updates during operating system deployment|||✔️||✔️|| +|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️| +|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️|| +|Support devices that are not domain-joined|✔️|||✔️|✔️|| +|Use on-premises resources|✔️|✔️|✔️||✔️|| +|Use cloud-based services||||✔️||| You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. @@ -665,35 +448,10 @@ It is important that you perform any network infrastructure remediation first be Table 7. Network infrastructure products and technologies and deployment resources -- - -- - - - - - - - - - -Desired feature -Windows provisioning packages -Group Policy -Configuration Manager -Intune -MDT -Windows Software Update Services -- -Deploy operating system images -X -- X -- X -- - -Deploy apps during operating system deployment -X -- X -- X -- - -Deploy apps after operating system deployment -X -X -X -- - - - -Deploy software updates during operating system deployment -- - X -- X -- - -Deploy software updates after operating system deployment -X -X -X -X -- X -- -Support devices that are domain-joined -X -X -X -X -X -- - -Support devices that are not domain-joined -X -- - X -X -- - -Use on-premises resources -X -X -X -- X -- - - -Use cloud-based services -- - - X -- - -
- +|Product or technology|Resources| +|--- |--- | +|DHCP|- - -- - - - - -Product or technology -Resources -- -DHCP -- - - -DNS -- - [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))| +|DNS|
- [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@@ -707,37 +465,10 @@ In the [Plan for Active Directory services](#plan-adservices) section, you deter
Table 8. AD DS, Azure AD and deployment resources
-
-
- - +|Product or technology|Resources| +|--- |--- | +|AD DS|- - -- - - - - -Product or technology -Resources -- -AD DS -- - - -Azure AD -- - [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))
- [Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))| +|Azure AD|
- [Azure Active Directory documentation](/azure/active-directory/)
- [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)
- [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -750,59 +481,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
Table 9. Management systems and deployment resources
-
-
- - +|Management system|Resources| +|--- |--- | +|Windows provisioning packages|- - -- - - - - -Management system -Resources -- -Windows provisioning packages -- - -Group Policy -- - -Configuration Manager -- - -Intune -- - - -MDT -- - [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
- [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)| +|Group Policy|
- [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))
- [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"| +|Configuration Manager|
- [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))
- [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))| +|Intune|
- [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)
- [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)
- [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/?l=fCzIjVKy_6404984382)| +|MDT|
- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)
- [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@@ -815,44 +500,11 @@ In this step, you need to configure your management system to deploy the apps to
Table 10. Management systems and app deployment resources
-
-
- - +|Management system|Resources| +|--- |--- | +|Group Policy|- - -- - - - - -Management system -Resources -- -Group Policy -- - -Configuration Manager -- - - -Intune -- - [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))
- [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))
- [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))| +|Configuration Manager|
- [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))
- [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))| +|Intune|
- [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)
- [Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 2bed22b247..2c43aa28c6 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -83,7 +83,7 @@ This district configuration has the following characteristics:
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
-* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@@ -128,7 +128,7 @@ Office 365 Education allows:
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
-For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
+For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
### How to configure a district
@@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
-
-
+|Method|Description| +|--- |--- | +|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.- - -- - - - - - -Method -Description -- - -MDT -MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.
-
-Select this method when you:-
-
- Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) -
- Don’t have an existing AD DS infrastructure. -
- Need to manage devices regardless of where they are (on or off premises). -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage device drivers during initial deployment. -
- You can deploy Windows desktop apps (during initial deployment) -
- It doesn’t require an AD DS infrastructure. -
- It doesn’t have additional infrastructure requirements. -
- MDT doesn’t incur additional cost: it’s a free tool. -
- You can deploy Windows 10 operating systems to institution-owned and personal devices. -
The disadvantages of this method are that it:
- --
-
- Can’t manage applications throughout entire application life cycle (by itself). -
- Can’t manage software updates for Windows 10 and apps (by itself). -
- Doesn’t provide antivirus and malware protection (by itself). -
- Has limited scaling to large numbers of users and devices. -
- - -Microsoft Endpoint Configuration Manager -Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
-
-Select this method when you:-
-
- Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). -
- Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). -
- Typically deploy Windows 10 to on-premises devices. -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle. -
- You can manage software updates for Windows 10 and apps. -
- You can manage antivirus and malware protection. -
- It scales to large number of users and devices. -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already). -
- Can deploy Windows 10 only to domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
Select this method when you: - Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)
- Don’t have an existing AD DS infrastructure.
- Need to manage devices regardless of where they are (on or off premises).
The advantages of this method are that:
- You can deploy Windows 10 operating systems
- You can manage device drivers during initial deployment.
- You can deploy Windows desktop apps (during initial deployment)
- It doesn’t require an AD DS infrastructure.
- It doesn’t have additional infrastructure requirements.
- MDT doesn’t incur additional cost: it’s a free tool.
- You can deploy Windows 10 operating systems to institution-owned and personal devices.
The disadvantages of this method are that it:
- Can’t manage applications throughout entire application life cycle (by itself).
- Can’t manage software updates for Windows 10 and apps (by itself).
- Doesn’t provide antivirus and malware protection (by itself).
- Has limited scaling to large numbers of users and devices.| +|Microsoft Endpoint Configuration Manager|
- Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle
- You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.
Select this method when you: - Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).
- Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).
- Typically deploy Windows 10 to on-premises devices.
The advantages of this method are that: - You can deploy Windows 10 operating systems.
- You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.
- You can manage software updates for Windows 10 and apps.
- You can manage antivirus and malware protection.
- It scales to large number of users and devices.
The disadvantages of this method are that it: - Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).
- Can deploy Windows 10 only to domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 2. Deployment methods*
@@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
-
-
+|Method|Description| +|--- |--- | +|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.- - -- - - - - - -Method -Description -- -Group Policy -Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.
- -
-Select this method when you:-
-
- Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined). -
- Want more granular control of device and user settings. -
- Have an existing AD DS infrastructure. -
- Typically manage on-premises devices. -
- Can manage a required setting only by using Group Policy. -
The advantages of this method include:
--
-
- No cost beyond the AD DS infrastructure. -
- A larger number of settings (compared to Intune). -
The disadvantages of this method are that it:
--
-
- Can only manage domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect). -
- Has rudimentary app management capabilities. -
- Cannot deploy Windows 10 operating systems. -
- - - -Intune -Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
- -
-Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
-Select this method when you:-
-
- Want to manage institution-owned and personal devices (does not require that the device be domain joined). -
- Don’t need granular control over device and user settings (compared to Group Policy). -
- Don’t have an existing AD DS infrastructure. -
- Need to manage devices regardless of where they are (on or off premises). -
- Want to provide application management for the entire application life cycle. -
- Can manage a required setting only by using Intune. -
The advantages of this method are that:
--
-
- You can manage institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It doesn’t require any on-premises infrastructure. -
- It can manage devices regardless of their location (on or off premises). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Intune subscription licenses. -
- Doesn’t offer granular control over device and user settings (compared to Group Policy). -
- Cannot deploy Windows 10 operating systems. -
Select this method when you - Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).
- Want more granular control of device and user settings.
- Have an existing AD DS infrastructure.
- Typically manage on-premises devices.
- Can manage a required setting only by using Group Policy.
The advantages of this method include: - No cost beyond the AD DS infrastructure.
- A larger number of settings (compared to Intune).
The disadvantages of this method are that it: - Can only manage domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).
- Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).
- Has rudimentary app management capabilities.
- Cannot deploy Windows 10 operating systems.|
+|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.
Select this method when you: - Want to manage institution-owned and personal devices (does not require that the device be domain joined).
- Don’t need granular control over device and user settings (compared to Group Policy).
- Don’t have an existing AD DS infrastructure.
- Need to manage devices regardless of where they are (on or off premises).
- Want to provide application management for the entire application life cycle.
- Can manage a required setting only by using Intune.
The advantages of this method are that: - You can manage institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It doesn’t require any on-premises infrastructure.
- It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it: - Carries an additional cost for Intune subscription licenses.
- Doesn’t offer granular control over device and user settings (compared to Group Policy).
- Cannot deploy Windows 10 operating systems.|
*Table 4. Configuration setting management methods*
@@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
-
-
+|Selection|Management method| +|--- |--- | +|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:- - -- - - - - - -Selection -Management method -- - -Microsoft Endpoint Configuration Manager -Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.
-
Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.
Select this method when you:-
-
- Selected Configuration Manager to deploy Windows 10. -
- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined). -
- Want to manage AD DS domain-joined devices. -
- Have an existing AD DS infrastructure. -
- Typically manage on-premises devices. -
- Want to deploy operating systems. -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can deploy Windows 10 operating systems. -
- You can manage applications throughout the entire application life cycle. -
- You can manage software updates for Windows 10 and apps. -
- You can manage antivirus and malware protection. -
- It scales to large numbers of users and devices. -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already). -
- Carries an additional cost for Windows Server licenses and the corresponding server hardware. -
- Can only manage domain-joined (institution-owned devices). -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Typically manages on-premises devices (unless devices through VPN or DirectAccess). -
- - -Intune -Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
-
-Select this method when you:-
-
- Selected MDT only to deploy Windows 10. -
- Want to manage institution-owned and personal devices that are not domain joined. -
- Want to manage Azure AD domain-joined devices. -
- Need to manage devices regardless of where they are (on or off premises). -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can manage institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It doesn’t require on-premises infrastructure. -
- It can manage devices regardless of their location (on or off premises). -
- You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Intune subscription licenses. -
- Cannot deploy Windows 10 operating systems. -
- - - -Microsoft Endpoint Manager and Intune (hybrid) -Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
-
-Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
-Select this method when you:-
-
- Selected Microsoft Endpoint Manager to deploy Windows 10. -
- Want to manage institution-owned and personal devices (does not require that the device be domain joined). -
- Want to manage domain-joined devices. -
- Want to manage Azure AD domain-joined devices. -
- Have an existing AD DS infrastructure. -
- Want to manage devices regardless of their connectivity. -
- Want to deploy operating systems. -
- Want to provide application management for the entire application life cycle. -
The advantages of this method are that:
--
-
- You can deploy operating systems. -
- You can manage applications throughout the entire application life cycle. -
- You can scale to large numbers of users and devices. -
- You can support institution-owned and personal devices. -
- It doesn’t require that devices be domain joined. -
- It can manage devices regardless of their location (on or off premises). -
The disadvantages of this method are that it:
--
-
- Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already). -
- Carries an additional cost for Windows Server licenses and the corresponding server hardware. -
- Carries an additional cost for Intune subscription licenses. -
- Requires an AD DS infrastructure (if the institution does not have AD DS already). -
- Selected Configuration Manager to deploy Windows 10.
- Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
- Want to manage AD DS domain-joined devices.
- Have an existing AD DS infrastructure.
- Typically manage on-premises devices.
- Want to deploy operating systems.
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can deploy Windows 10 operating systems.
- You can manage applications throughout the entire application life cycle.
- You can manage software updates for Windows 10 and apps.
- You can manage antivirus and malware protection.
- It scales to large numbers of users and devices.
The disadvantages of this method are that it: - Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
- Carries an additional cost for Windows Server licenses and the corresponding server hardware.
- Can only manage domain-joined (institution-owned devices).
- Requires an AD DS infrastructure (if the institution does not have AD DS already).
- Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
+|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.
Select this method when you: - Selected MDT only to deploy Windows 10.
- Want to manage institution-owned and personal devices that are not domain joined.
- Want to manage Azure AD domain-joined devices.
- Need to manage devices regardless of where they are (on or off premises).
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can manage institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It doesn’t require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).
- You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).
The disadvantages of this method are that it: - Carries an additional cost for Intune subscription licenses.
- Cannot deploy Windows 10 operating systems.|
+|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you: - Selected Microsoft Endpoint Manager to deploy Windows 10.
- Want to manage institution-owned and personal devices (does not require that the device be domain joined).
- Want to manage domain-joined devices.
- Want to manage Azure AD domain-joined devices.
- Have an existing AD DS infrastructure.
- Want to manage devices regardless of their connectivity.vWant to deploy operating systems.
- Want to provide application management for the entire application life cycle.
The advantages of this method are that: - You can deploy operating systems.
- You can manage applications throughout the entire application life cycle.
- You can scale to large numbers of users and devices.
- You can support institution-owned and personal devices.
- It doesn’t require that devices be domain joined.
- It can manage devices regardless of their location (on or off premises).
The disadvantages of this method are that it: - Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).
- Carries an additional cost for Windows Server licenses and the corresponding server hardware.
- Carries an additional cost for Intune subscription licenses.
- Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 6. App and update management products*
@@ -683,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
-> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@@ -695,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
> [!NOTE]
> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
-By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -714,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
> [!NOTE]
> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
-Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
+Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@@ -935,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
-For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
+For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
> [!NOTE]
> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@@ -949,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
> [!NOTE]
> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
-For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
@@ -966,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
-For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
+For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
#### Summary
@@ -1083,63 +839,11 @@ This guide discusses thick image deployment. For information about thin image de
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
-
-
+|Method|Description and reason to select this method| +|--- |--- | +|Windows Deployment Services|This method:- - -- - - - - - - -Method -Description and reason to select this method - -- - -Windows Deployment Services -This method:
--
-
- Uses diskless booting to initiate LTI and ZTI deployments. -
- Works only with devices that support PXE boot. -
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. -
- Deploys images more slowly than when you use local media. -
- Requires that you deploy a Windows Deployment Services server. -
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server. -- - -Bootable media -This method:
--
-
- Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD. -
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media. -
- Deploys images more slowly than when using local media. -
- Requires no additional infrastructure. -
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media. -- - - -Deployment media -This method:
--
-
- Initiates LTI or ZTI deployment by booting from a local USB hard disk. -
- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods. -
- Deploys images more quickly than network-based methods do. -
- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB). -
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. - - Uses diskless booting to initiate LTI and ZTI deployments.
- Works only with devices that support PXE boot.
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
- Deploys images more slowly than when you use local media.
- Requires that you deploy a Windows Deployment Services server.
Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.| +|Bootable media|This method: - Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.
- Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
- Deploys images more slowly than when using local media.
- Requires no additional infrastructure.
Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.| +|Deployment media|This method: - Initiates LTI or ZTI deployment by booting from a local USB hard disk.
- Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
- Deploys images more quickly than network-based methods do.
- Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk. *Table 15. Methods to initiate LTI and ZTI deployments* @@ -1154,91 +858,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16. --
+|Task|Description| +|--- |--- | +|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|2. Import device drivers|Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.- - -- - - - - - - - -Task -Description - -- - -1. Import operating systems -Import the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench. -- - -2. Import device drivers -Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat. -
-Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench. -- - -3. Create MDT applications for Microsoft Store apps -Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10. -
-Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
--
-
- For offline-licensed apps, download the .appx files from the Microsoft Store for Business. -
- For apps that are not offline licensed, obtain the .appx files from the app software vendor directly. -
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
-If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
-In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
--
-
- Prepare your environment for sideloading, see Try it out: sideload Microsoft Store apps. -
- Create an MDT application, see Create a New Application in the Deployment Workbench. -
- - -4. Create MDT applications for Windows desktop apps -You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them. -
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps. -
-Note You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. - -For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt). - -- - -5. Create task sequences -You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:
--
-
- Deploy 64-bit Windows 10 Education to devices. -
- Deploy 32-bit Windows 10 Education to devices. -
- Upgrade existing devices to 64-bit Windows 10 Education. -
- Upgrade existing devices to 32-bit Windows 10 Education. -
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench. - -- - - - -6. Update the deployment share -Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services. -
-For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench. - -
Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)| +|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.
Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks: - For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
- For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.
If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to: - Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).
- Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
+|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).
If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.
This is the preferred method for deploying and managing Windows desktop apps.
**Note:** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).| +|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will: - Deploy 64-bit Windows 10 Education to devices.
- Deploy 32-bit Windows 10 Education to devices.
- Upgrade existing devices to 64-bit Windows 10 Education.
- Upgrade existing devices to 32-bit Windows 10 Education.
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).| +|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).| *Table 16. Tasks to configure the MDT deployment share* @@ -1430,116 +1057,20 @@ Microsoft has several recommended settings for educational institutions. Table 1 Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. --
- - -- - - - - - - -Recommendation -Description - -- - -Use of Microsoft accounts -You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts. -
- -**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
-**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. - -- - -Restrict the local administrator accounts on the devices -Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices. -
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
-Intune. Not available. - -- - -Manage the built-in administrator account created during device deployment -When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it. -
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
-Intune. Not available. - -- - -Control Microsoft Store access -You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise. -
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
-Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy. - -- +|Recommendation|Description| +|--- |--- | +|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.Use of Remote Desktop connections to devices -Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices. -
-Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
-Intune. Not available. - -
**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.| +|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
**Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
**Intune**. Not available.| +|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
**Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).
**Intune**. Not available.| +|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?
**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.| +|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.
**Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.
**Intune**. Not available.| +|Use of camera|A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.
**Group policy**. Not available.
**Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.| +|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
**Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).
**Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.| +|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.
**Group policy**. Not available.
**Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.| +|Use of location services|Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.
**Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
**Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.| +|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.
**Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
**Intune**. Not available.| -- - -Use of camera -A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices. -
-Group Policy. Not available.
-Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy. - -- - -Use of audio recording -Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices. -
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
-Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy. - -- - -Use of screen capture -Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices. -
-Group Policy. Not available.
-Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy. - -- - -Use of location services -Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices. -
-Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.
-Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy. - -- - - -Changing wallpaper -Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices. -
-Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.
-Intune. Not available. - -
Table 17. Recommended settings for educational institutions @@ -1719,205 +1250,23 @@ After the initial deployment, you need to perform certain tasks to maintain the Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. --
-- - -- - - - - - - -Task and resources -Monthly -New semester or academic year -As required -- - -Verify that Windows Update is active and current with operating system and software updates. -
-For more information about completing this task when you have: --
-
- Intune, see Keep Windows PCs up to date with software updates in Microsoft Intune. -
- Group Policy, see Windows Update for Business. -
- WSUS, see Windows Server Update Services. -
- Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help. -
x -x -x -- - -Verify that Windows Defender is active and current with malware Security intelligence. -
-For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender. -x -x -x -- - -Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found. -
-For more information about completing this task, see the “How do I find and remove a virus?” topic in Protect my PC from viruses. -x -x -x -- - -Download and approve updates for Windows 10, apps, device driver, and other software. -
-For more information, see: - -x -x -x -- - -Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business). -
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options. -- x -x -- - -Refresh the operating system and apps on devices. -
-For more information about completing this task, see the following resources: - -- x -x -- - -Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum. -
-For more information, see: - -- x -x -- - -Install new or update existing Microsoft Store apps used in the curriculum. -
-Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
-You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see: - -- x -x -- - - -Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Remove unnecessary user accounts, see Active Directory Administrative Center. -
- Remove licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Add user accounts, see Bulk-import user and group accounts into AD DS. -
- Assign licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Remove unnecessary user accounts, see Delete or restore users. -
- Remove licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure). -
-For more information about how to: --
-
- Add user accounts, see Add users to Office 365 for business and Add users individually or in bulk to Office 365. -
- Assign licenses, see Assign or remove licenses for Office 365 for business. -
- x -x -- - -Create or modify security groups, and manage group membership in Office 365. -
-For more information about how to: --
-
- Create or modify security groups, see Create an Office 365 Group in the admin center. -
- Manage group membership, see Manage Group membership in the admin center. -
- x -x -- - -Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365. -
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group. -- x -x -- - - -Install new student devices. -
-Follow the same steps you followed in the Deploy Windows 10 to devices section. -- - x -
+|Task and resources|Monthly|New semester or academic year|As required| +|--- |--- |--- |--- | +|Verify that Windows Update is active and current with operating system and software updates.
For more information about completing this task when you have: - Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
- Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
- WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).
Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️| +|Verify that Windows Defender is active and current with malware Security intelligence.
For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️| +|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.
For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️| +|Download and approve updates for Windows 10, apps, device driver, and other software.
For more information, see: - [Manage updates by using Intune](#manage-updates-by-using-intune)
- [Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
+|Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️| +|Refresh the operating system and apps on devices.
For more information about completing this task, see the following resources: - [Prepare for deployment](#prepare-for-deployment)
- [Capture the reference image](#capture-the-reference-image)
- [Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
+|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.
For more information, see: - [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
- [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Install new or update existing Microsoft Store apps used in the curriculum.
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration.
For more information, see: - [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)
- [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
For more information about how to: - Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)
- Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).
For more information about how to: - Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)
- Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
+|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).
For more information about how to: - Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)
- Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).
For more information about how to: - Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
- Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
+|Create or modify security groups, and manage group membership in Office 365.
For more information about how to: - Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)
- Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
+|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️| +|Install new student devices.
Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️| *Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them* @@ -1936,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an * [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md) * [Reprovision devices at the end of the school year (video)](./index.md) * [Use MDT to deploy Windows 10 in a school (video)](./index.md) -* [Use Microsoft Store for Business in a school environment (video)](./index.md) \ No newline at end of file +* [Use Microsoft Store for Business in a school environment (video)](./index.md) diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index b3eed6f968..82ea8add54 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set Store for Business and Education is currently available in these markets. ### Support for free and paid products --
+ +- Afghanistan +- Algeria +- Andorra +- Angola +- Anguilla +- Antigua and Barbuda +- Argentina +- Australia +- Austria +- Bahamas +- Bahrain +- Bangladesh +- Barbados +- Belgium +- Belize +- Bermuda +- Benin +- Bhutan +- Bolivia +- Bonaire +- Botswana +- Brunei Darussalam +- Bulgaria +- Burundi +- Cambodia +- Cameroon +- Canada +- Cayman Islands +- Chile +- Colombia +- Comoros +- Costa Rica +- Côte D'ivoire +- Croatia +- Curçao +- Cyprus +- Czech Republic +- Denmark +- Dominican Republic +- Ecuador +- Egypt +- El Salvador +- Estonia +- Ethiopia +- Faroe Islands +- Fiji +- Finland +- France +- French Guiana +- French Polynesia +- Germany +- Ghana +- Greece +- Greenland +- Guadeloupe +- Guatemala +- Honduras +- Hong Kong SAR +- Hungary +- Iceland +- Indonesia +- Iraq +- Ireland +- Israel +- Italy +- Jamaica +- Japan +- Jersey +- Jordan +- Kenya +- Kuwait +- Laos +- Latvia +- Lebanon +- Libya +- Liechtenstein +- Lithuania +- Luxembourg +- Macedonia +- Madagascar +- Malawi +- Malaysia +- Maldives +- Mali +- Malta +- Marshall Islands +- Martinique +- Mauritius +- Mayotte +- Mexico +- Mongolia +- Montenegro +- Morocco +- Mozambique +- Myanamar +- Namibia +- Nepal +- Netherlands +- New Caledonia +- New Zealand +- Nicaragua +- Nigeria +- Norway +- Oman +- Pakistan +- Palestinian Authority +- Panama +- Papua New Guinea +- Paraguay +- Peru +- Philippines +- Poland +- Portugal +- Qatar +- Republic of Cabo Verde +- Reunion +- Romania +- Rwanda +- Saint Kitts and Nevis +- Saint Lucia +- Saint Martin +- Saint Vincent and the Grenadines +- San marino +- Saudi Arabia +- Senegal +- Serbia +- Seychelles +- Singapore +- Sint Maarten +- Slovakia +- Slovenia +- South Africa +- Spain +- Sri Lanka +- Suriname +- Sweden +- Switzerland +- Tanzania +- Thailand +- Timor-Leste +- Togo +- Tonga +- Trinidad and Tobago +- Tunisia +- Turkey +- Turks and Caicos Islands +- Uganda +- United Arab Emirates +- United Kingdom +- United States +- Uruguay +- Vatican City +- Viet Nam +- Virgin Islands, U.S. +- Zambia +- Zimbabwe + ### Support for free apps Customers in these markets can use Microsoft Store for Business and Education to acquire free apps: diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 3983d8787c..0bfd675b91 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting. 2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings: -- -Supports all free and paid products -- -- --
-
- Afghanistan -
- Algeria -
- Andorra -
- Angola -
- Anguilla -
- Antigua and Barbuda -
- Argentina -
- Australia -
- Austria -
- Bahamas -
- Bahrain -
- Bangladesh -
- Barbados -
- Belgium -
- Belize -
- Bermuda -
- Benin -
- Bhutan -
- Bolivia -
- Bonaire -
- Botswana -
- Brunei Darussalam -
- Bulgaria -
- Burundi -
- Cambodia -
- Cameroon -
- Canada -
- Cayman Islands -
- Chile -
- Colombia -
- Comoros -
- Costa Rica -
- Côte D'ivoire -
- Croatia -
- Curçao -
- Cyprus -
- Czech Republic -
- Denmark -
- Dominican Republic -
- Ecuador -
- --
-
- Egypt -
- El Salvador -
- Estonia -
- Ethiopia -
- Faroe Islands -
- Fiji -
- Finland -
- France -
- French Guiana -
- French Polynesia -
- Germany -
- Ghana -
- Greece -
- Greenland -
- Guadeloupe -
- Guatemala -
- Honduras -
- Hong Kong SAR -
- Hungary -
- Iceland -
- Indonesia -
- Iraq -
- Ireland -
- Israel -
- Italy -
- Jamaica -
- Japan -
- Jersey -
- Jordan -
- Kenya -
- Kuwait -
- Laos -
- Latvia -
- Lebanon -
- Libya -
- Liechtenstein -
- Lithuania -
- Luxembourg -
- Macedonia -
- Madagascar -
- --
-
- Malawi -
- Malaysia -
- Maldives -
- Mali -
- Malta -
- Marshall Islands -
- Martinique -
- Mauritius -
- Mayotte -
- Mexico -
- Mongolia -
- Montenegro -
- Morocco -
- Mozambique -
- Myanamar -
- Namibia -
- Nepal -
- Netherlands -
- New Caledonia -
- New Zealand -
- Nicaragua -
- Nigeria -
- Norway -
- Oman -
- Pakistan -
- Palestinian Authority -
- Panama -
- Papua New Guinea -
- Paraguay -
- Peru -
- Philippines -
- Poland -
- Portugal -
- Qatar -
- Republic of Cabo Verde -
- Reunion -
- Romania -
- Rwanda -
- Saint Kitts and Nevis -
- --
-
- Saint Lucia -
- Saint Martin -
- Saint Vincent and the Grenadines -
- San marino -
- Saudi Arabia -
- Senegal -
- Serbia -
- Seychelles -
- Singapore -
- Sint Maarten -
- Slovakia -
- Slovenia -
- South Africa -
- Spain -
- Sri Lanka -
- Suriname -
- Sweden -
- Switzerland -
- Tanzania -
- Thailand -
- Timor-Leste -
- Togo -
- Tonga -
- Trinidad and Tobago -
- Tunisia -
- Turkey -
- Turks and Caicos Islands -
- Uganda -
- United Arab Emirates -
- United Kingdom -
- United States -
- Uruguay -
- Vatican City -
- Viet Nam -
- Virgin Islands, U.S. -
- Zambia -
- Zimbabwe
-
- - +|Setting|Description| +|--- |--- | +|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.| +|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.- - -- - - - - -Setting -Description -- -ReportingEnabled
Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
- -ReportingServerURL
Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
-- Note-This is the port number that was assigned during the Reporting Server setup
-- -- -Reporting Start Time
This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
- -ReportingRandomDelay
Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
- -ReportingInterval
Specifies the retry interval that the client will use to resend data to the reporting server.
- -ReportingDataCacheLimit
Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
- - -ReportingDataBlockSize
Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
**Note:**
This is the port number that was assigned during the Reporting Server setup| +|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.| +|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.| +|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.| +|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| +|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.| 3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server. diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index 88a684ce46..ab5b11444d 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -69,28 +69,10 @@ This topic explains the following procedures: 2. Use the following cmdlets, and add the optional **–UserSID** parameter, where **-UserSID** represents the end user’s security identifier (SID): --
+ |Cmdlet|Examples| + |--- |--- | + |Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| + |Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345| ## To allow only administrators to enable connection groups @@ -102,33 +84,9 @@ This topic explains the following procedures: 2. Run the following cmdlet and parameter: -- - -- - - - - -Cmdlet -Examples -- -Enable-AppVClientConnectionGroup
Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
- - -Disable-AppVClientConnectionGroup
Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345
-
- - + |Cmdlet|Parameter and values|Example| + |--- |--- |--- | + |Set-AppvClientConfiguration|-RequirePublishAsAdmin- - -- - - - - - -Cmdlet -Parameter and values -Example -- - -Set-AppvClientConfiguration
-RequirePublishAsAdmin
--
-
0 - False
- 1 - True
-
Set-AppvClientConfiguration -RequirePublishAsAdmin 1
- 0 - False
- 1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin
1|
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index bfbd7fe594..0f8cf76315 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -24,50 +24,16 @@ In some previous versions of App-V, connection groups were referred to as Dynami **In this section:** --
- - - - - +|Links|Description| +|--- |--- | +|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.| +|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.| +|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.| +|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.| +|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.| +|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.| +|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.| +[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|- - -- - - -- Describes the connection group virtual environment.
- -- Describes the connection group file.
- -- Explains how to create a new connection group.
- -How to Create a Connection Group with User-Published and Globally Published Packages
Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
- -- Explains how to delete a connection group.
- -- Explains how to publish a connection group.
- -- Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
- -How to Allow Only Administrators to Enable Connection Groups
Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index 894d080a23..7d268f0f29 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files’ information is converted and placed within the new package. --
- - +|New in App-V for Windows client|Prior to App-V for Windows 10| +|--- |--- | +|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:- - -- - - - - -New in App-V for Windows client -Prior to App-V for Windows 10 -- - -New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:
--
-
environment variables
-shortcuts
-file type associations
-registry information
-scripts
-
You can now choose to add information from a subset of the .osd files in the source directory to the package using the
-OSDsToIncludeInPackageparameter.Registry information and scripts included in .osd files associated with a package were not included in package converter output.
-The package converter would populate the new package with information from all of the .osd files in the source directory.
- environment variables
- shortcuts
- file type associations
- registry information
- scripts
You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.
The package converter would populate the new package with information from all of the .osd files in the source directory.| ### Example conversion statement @@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\ **In the above example:** --
- - +|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description| +|--- |--- |--- |--- | +|- - -- - - - - - - -These Source directory files… -…are converted to these Destination directory files… -…and will contain these items -Description -- --
-
X.osd
-Y.osd
-Z.osd
-
-
-
X_Config.xml
-Y_Config.xml
-Z_Config.xml
-
-
-
Environment variables
-Shortcuts
-File type associations
-Registry information
-Scripts
-
Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
-In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.
- - --
-
X.osd
-Y.osd
-
-
-
ContosoApp.appv
-ContosoApp_DeploymentConfig.xml
-ContosoApp_UserConfig.xml
-
-
-
Environment variables
-Shortcuts
-File type associations
-
The information from the .osd files specified in the
--OSDsToIncludeInPackageparameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the
-OSDsToIncludeInPackageparameter. No information from Z.osd was included in the package, because it was not included as one of these arguments. - X.osd
- Y.osd
- Z.osd|
- X_Config.xml
- Y_Config.xml
- Z_Config.xml|
- Environment variables:
- Shortcuts
- File type associations
- Registry information
- Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.
In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.| +| - X.osd
- Y.osd|
- ContosoApp.appv
- ContosoApp_DeploymentConfig.xml
- ContosoApp_UserConfig.xml|
- Environment variables
- Shortcuts
- File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.
In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.| ## Converting packages created using a prior version of App-V @@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo **What to know before you convert existing packages** --
- - +|Issue|Workaround| +|--- |--- | +|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).| +|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.| +|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.| When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path. @@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server. -- - -- - - - - -Issue -Workaround -- -Virtual packages using DSC are not linked after conversion.
Link the packages using connection groups. See Managing Connection Groups.
- -Environment variable conflicts are detected during conversion.
Resolve any conflicts in the associated .osd file.
- - -Hard-coded paths are detected during conversion.
Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.
-
- - - +|Task|More Information| +|--- |--- | +|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)| +|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)| +|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)| +|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|- - -- - - - - -Task -More Information -- -Review prerequisites.
- - -Enable the App-V client.
- - -Install App-V Server.
- - - -Migrate existing packages.
See Converting packages created using a prior version of App-V earlier in this topic.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index a510b2460c..f58ed76669 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the ## Request --
+**GET:** + +```http +https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults} +``` - ### URI parameters The following parameters may be specified in the request URI. -- - -- - - - - -Method -Request URI -- - -GET
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}
-
+|Parameter|Type|Description| +|--- |--- |--- | +|productId|string|Required. Product identifier for an application that is used by the Store for Business.| +|skuId|string|Required. Product identifier that specifies a specific SKU of an application.| +|continuationToken|string|Optional.| +|maxResults|int32|Optional. Default = 25, Maximum = 100| - ## Response ### Response body The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). -- - -- - - - - - -Parameter -Type -Description -- -productId
string
Required. Product identifier for an application that is used by the Store for Business.
- -skuId
string
Required. Product identifier that specifies a specific SKU of an application.
- -continuationToken
string
Optional.
- - -maxResults
int32
Optional. Default = 25, Maximum = 100
-
- - - - - - +|Error code|Description|Retry|Data field| +|--- |--- |--- |--- | +|400|Invalid parameters|No|Parameter name- - -- - - - - - - -Error code -Description -Retry -Data field -- -400
Invalid parameters
No
Parameter name
-Reason: Missing parameter or invalid parameter
-Details: String
- -404
Not found
- - - - -409
Conflict
- Reason: Not online
Reason: Missing parameter or invalid parameter
Details: String| +|404|Not found||| +|409|Conflict||Reason: Not online| diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 9c1b296ab6..47da5c6353 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -30,48 +30,42 @@ Windows 11 introduces an update to the device health attestation feature. This h The attestation report provides a health assessment of the boot-time properties of the device to ensure that the devices are automatically secure as soon as they power on. The health attestation result can then be used to allow or deny access to networks, apps, or services, depending on the health of the device. ### Terms -**TPM (Trusted Platform Module)** -TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
-**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**MAA-Session (Microsoft Azure Attestation service based device HealthAttestation session)** -The Microsoft Azure Attestation service-based device HealthAttestation session (MAA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**MAA-CSP Nodes (Microsoft Azure Attestation based Configuration Service Provider)** -The Configuration Service Provider nodes added to Windows 11 to integrate with Microsoft Azure Attestation Service.
-The following list of operations is performed by MAA-CSP:
--
-
- Receives attestation trigger requests from a HealthAttestation enabled MDM provider. -
- The device collects Attestation Evidence (device boot logs, TPM audit trails and the TPM certificate) from a managed device. -
- Forwards the Attestation Evidence to the Azure Attestation Service instance as configured by the MDM provider. -
- Receives a signed report from the Azure Attestation Service instance and stores it in a local cache on the device. -
-Attestation flow can be broadly in three main steps:
--
-
- An instance of the Azure Attestation service is set up with an appropriate attestation policy. The attestation policy allows the MDM provider to attest to particular events in the boot as well security features. -
- The MDM provider triggers a call to the attestation service, the device then performs an attestation check keeping the report ready to be retrieved. -
- The MDM provider after verifying the token is coming from the attestation service it can parse the attestation token to reflect on the attested state of the device. -
The root node for the device HealthAttestation configuration service provider.
+ +The root node for the device HealthAttestation configuration service provider. **TriggerAttestation** (Required) -Node type: EXECUTE -This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. -
-Templated SyncML Call:
+Node type: EXECUTE + +This node will trigger attestation flow by launching an attestation process. If the attestation process is launched successfully, this node will return code 202 indicating the request is received and being processed. Otherwise, an error will be returned. + +Templated SyncML Call: ```xml@@ -127,16 +122,15 @@ This node will trigger attestation flow by launching an attestation process. If ``` -Data fields:
--
-
- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. -
- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. -
- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. -
- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. -
- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. -
Sample Data:
+- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. +- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. +- nonce : This field contains an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. +- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. +- cv: This field contains an identifier(Correlation Vector) that will passed in to the service call, that can be used for diagnostics purposes. + +Sample Data: ```json @@ -151,12 +145,13 @@ This node will trigger attestation flow by launching an attestation process. If ``` **AttestStatus** -Node type: GET + +Node type: GET + This node will retrieve the status(HRESULT value) stored in registry updated by the attestation process triggered in the previous step. The status is always cleared prior to making the attest service call. -
-Templated SyncML Call:
+Templated SyncML Call: ```xml@@ -175,20 +170,21 @@ The status is always cleared prior to making the attest service call. ``` -Sample Data:
+Sample Data: -``` +```console If Successful: 0 If Failed: A corresponding HRESULT error code Example: 0x80072efd, WININET_E_CANNOT_CONNECT ``` **GetAttestReport** -Node type: GET -This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. -
-Templated SyncML Call:
+Node type: GET + +This node will retrieve the attestation report per the call made by the TriggerAttestation, if there is any, for the given MDM provider. The report is stored in a registry key in the respective MDM enrollment store. + +Templated SyncML Call: ```xml@@ -207,9 +203,9 @@ This node will retrieve the attestation report per the call made by the TriggerA ``` -Sample data:
+Sample data: -``` +```console If Success: JWT token: aaaaaaaaaaaaa.bbbbbbbbbbbbb.cccccccccc If failed: @@ -218,10 +214,12 @@ OR Sync ML 404 error if not cached report available. ``` **GetServiceCorrelationIDs** -Node type: GET -This node will retrieve the service-generated correlation IDs for the given MDM provider. If there are more than one correlation IDs, they are separated by ";" in the string. -
-Templated SyncML Call:
+ +Node type: GET + +This node will retrieve the service-generated correlation IDs for the given MDM provider. If there is more than one correlation ID, they are separated by “;” in the string. + +Templated SyncML Call: ```xml@@ -240,226 +238,220 @@ This node will retrieve the service-generated correlation IDs for the given MDM ``` -Sample data:
+Sample data: -> If success: -> GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM -> If Trigger Attestation call failed and no previous data is present. The field remains empty. -> Otherwise, the last service correlation id will be returned. In a successful attestation there are two -> calls between client and MAA and for each call the GUID is separated by semicolon. +```console +If success: +GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM +If Trigger Attestation call failed and no previous data is present. The field remains empty. +Otherwise, the last service correlation id will be returned. In a successful attestation there are two +calls between client and MAA and for each call the GUID is separated by semicolon. +``` -> **_Note:_** MAA CSP nodes are available on arm64 but is not currently supported. +> [!NOTE] +> > MAA CSP nodes are available on arm64 but is not currently supported. ### MAA CSP Integration Steps --
-
- Set up a MAA provider instance:
-MAA instance can be created following the steps here Quickstart: Set up Azure Attestation by using the Azure portal | Microsoft Docs.
- - Update the provider with an appropriate policy:
-The MAA instance should be updated with an appropriate policy. How to author an Azure Attestation policy | Microsoft Docs -
A Sample attestation policy: -``` -version=1.2; +1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal]. -configurationrules{ -}; +2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar). -authorizationrules { + A Sample attestation policy: + + ```console + version=1.2; + + configurationrules{ + }; + + authorizationrules { => permit(); -}; + }; -issuancerules{ + issuancerules{ -// SecureBoot enabled -c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); -c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); -![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); + // SecureBoot enabled + c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']")); + c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'"))); + ![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false); -// Retrieve bool properties -c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); -c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); + // Retrieve bool properties + c:[type=="events", issuer=="AttestationService"] => add(type="boolProperties", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `19` || PcrIndex == `20`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="codeIntegrityEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_CODEINTEGRITY"))); + c:[type=="codeIntegrityEnabledSet", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="codeIntegrityEnabled", issuer=="AttestationPolicy"] => issue(type="codeIntegrityEnabled", value=false); -// Bitlocker Boot Status, The first non zero measurement or zero. -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); -[type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); -![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); + // Bitlocker Boot Status, The first non zero measurement or zero. + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => issue(type="bitlockerEnabledValue", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BITLOCKER_UNLOCK | @[? Value != `0`].Value | @[0]"))); + [type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=true); + ![type=="bitlockerEnabledValue"] => issue(type="bitlockerEnabled", value=false); -// Elam Driver (windows defender) Loaded -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); -[type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); -![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); + // Elam Driver (windows defender) Loaded + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="elamDriverLoaded", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_LOADEDMODULE_AGGREGATION[] | [? EVENT_IMAGEVALIDATED == `true` && (equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wdboot.sys') || equals_ignore_case(EVENT_FILEPATH, '\\windows\\system32\\drivers\\wd\\wdboot.sys'))] | @ != `null`"))); + [type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=true); + ![type=="elamDriverLoaded", issuer=="AttestationPolicy"] => issue(type="WindowsDefenderElamDriverLoaded", value=false); -// Boot debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); -c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); + // Boot debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="bootDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_BOOTDEBUGGING"))); + c:[type=="bootDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="bootDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="bootDebuggingDisabled", value=false); -// Kernel Debugging -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); -c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); + // Kernel Debugging + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="osKernelDebuggingEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_OSKERNELDEBUG"))); + c:[type=="osKernelDebuggingEnabledSet", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="osKernelDebuggingDisabled", issuer=="AttestationPolicy"] => issue(type="osKernelDebuggingDisabled", value=false); -// DEP Policy -c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); -![type=="depPolicy"] => issue(type="depPolicy", value=0); + // DEP Policy + c:[type=="boolProperties", issuer=="AttestationPolicy"] => issue(type="depPolicy", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_DATAEXECUTIONPREVENTION.Value | @[-1]"))); + ![type=="depPolicy"] => issue(type="depPolicy", value=0); -// Test Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); -c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); -![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); + // Test Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="testSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_TESTSIGNING"))); + c:[type=="testSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=ContainsOnlyValue(c.value, false)); + ![type=="testSigningDisabled", issuer=="AttestationPolicy"] => issue(type="testSigningDisabled", value=false); -// Flight Signing -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); -c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); -![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); + // Flight Signing + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="flightSigningEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_FLIGHTSIGNING"))); + c:[type=="flightSigningEnabledSet", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=ContainsOnlyValue(c.value, false)); + ![type=="flightSigningNotEnabled", issuer=="AttestationPolicy"] => issue(type="flightSigningNotEnabled", value=false); -// VSM enabled -c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); -c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); -c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); + // VSM enabled + c:[type=="events", issuer=="AttestationService"] => add(type="srtmDrtmEventPcr", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && (PcrIndex == `12` || PcrIndex == `19`)].ProcessedData.EVENT_TRUSTBOUNDARY")); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_VSM_REQUIRED"))); + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="vbsEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_MANDATORY_ENFORCEMENT"))); + c:[type=="vbsEnabledSet", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=false); + c:[type=="vbsEnabled", issuer=="AttestationPolicy"] => issue(type="vbsEnabled", value=c.value); -// HVCI -c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); -c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); -![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); + // HVCI + c:[type=="srtmDrtmEventPcr", issuer=="AttestationPolicy"] => add(type="hvciEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_HVCI_POLICY | @[?String == 'HypervisorEnforcedCodeIntegrityEnable'].Value"))); + c:[type=="hvciEnabledSet", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=ContainsOnlyValue(c.value, 1)); + ![type=="hvciEnabled", issuer=="AttestationPolicy"] => issue(type="hvciEnabled", value=false); -// IOMMU -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); -c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); -![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); + // IOMMU + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="iommuEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_VBS_IOMMU_REQUIRED"))); + c:[type=="iommuEnabledSet", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=ContainsOnlyValue(c.value, true)); + ![type=="iommuEnabled", issuer=="AttestationPolicy"] => issue(type="iommuEnabled", value=false); -// Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); + // Find the Boot Manager SVN, this is measured as part of a sequence and find the various measurements + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); -// Find the first EVENT_APPLICATION_SVN. -c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); -c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); -c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + // Find the first EVENT_APPLICATION_SVN. + c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq")); + c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value)); + c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -// The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN -c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // The first EVENT_APPLICATION_SVN. That value is the Boot Manager SVN + c1:[type=="bootMgrSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootMgrSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// OS Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); + // OS Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="osRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_OS_REVOCATION_LIST.RawData | @[0]"))); -// Safe mode -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); -c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); -![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); + // Safe mode + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="safeModeEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_SAFEMODE"))); + c:[type=="safeModeEnabledSet", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=ContainsOnlyValue(c.value, false)); + ![type=="notSafeMode", issuer=="AttestationPolicy"] => issue(type="notSafeMode", value=true); -// Win PE -c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); -c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); -![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); + // Win PE + c:[type=="boolProperties", issuer=="AttestationPolicy"] => add(type="winPEEnabledSet", value=JsonToClaimValue(JmesPath(c.value, "[*].EVENT_WINPE"))); + c:[type=="winPEEnabledSet", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=ContainsOnlyValue(c.value, false)); + ![type=="notWinPE", issuer=="AttestationPolicy"] => issue(type="notWinPE", value=true); -// CI Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); + // CI Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="codeIntegrityPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_SI_POLICY[].RawData"))); -// Secure Boot Custom Policy -c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); + // Secure Boot Custom Policy + c:[type=="events", issuer=="AttestationService"] => issue(type="secureBootCustomPolicy", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && PcrIndex == `7` && ProcessedData.UnicodeName == 'CurrentPolicy' && ProcessedData.VariableGuid == '77FA9ABD-0359-4D32-BD60-28F4E78F784B'].ProcessedData.VariableData | @[0]"))); -// Find the first EV_SEPARATOR in PCR 12, 13, Or 14 -c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); -c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); -[type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present + // Find the first EV_SEPARATOR in PCR 12, 13, Or 14 + c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq")); + c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`")); + [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` "); // No restriction of EV_SEPARATOR in case it is not present -//Finding the Boot App SVN -// Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); -c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); -c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); + //Finding the Boot App SVN + // Find the first EVENT_TRANSFER_CONTROL with value 1 or 2 in PCR 12 which is before the EV_SEPARATOR + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="bootMgrSvnSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepAfterBootMgrSvnClause", value=AppendString(AppendString(AppendString(c1.value, "&& EventSeq >= `"), c2.value), "`")); + c:[type=="beforeEvSepAfterBootMgrSvnClause", issuer=="AttestationPolicy"] => add(type="tranferControlQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`&& (ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `1` || ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_TRANSFER_CONTROL.Value == `2`)] | @[0].EventSeq")); + c1:[type=="tranferControlQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="tranferControlSeq", value=JmesPath(c2.value, c1.value)); -// Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. -c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); -c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); + // Find the first non-null EVENT_MODULE_SVN in PCR 13 after the transfer control. + c:[type=="tranferControlSeq", value!="null", issuer=="AttestationPolicy"] => add(type="afterTransferCtrlClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]")); + c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value)); -// Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. -c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); -c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); -c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); + // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12. + c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`")); + c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]")); + c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value))); -// Finding the Boot Rev List Info -c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); + // Finding the Boot Rev List Info + c:[type=="events", issuer=="AttestationService"] => issue(type="bootRevListInfo", value=JsonToClaimValue(JmesPath(c.value, "Events[? EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_BOOT_REVOCATION_LIST.RawData | @[0]"))); -}; -``` + }; + ``` -
- - Call TriggerAttestation with your rpid, AAD token and the attestURI:
-Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. More information about the api version can be found here Attestation - Attest Tpm - REST API (Azure Attestation) | Microsoft Docs
- - Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties:
-GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. -
+3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). -```json - { - "typ": "JWT", - "alg": "RS256", - "x5c": [ - "MIIE.....=", - "MIIG.....=", - "MIIF.....=" - ], - "kid": "8FUer20z6wzf1rod044wOAFdjsg" - }.{ - "nbf": 1633664812, - "exp": 1634010712, - "iat": 1633665112, - "iss": "https://contosopolicy.eus.attest.azure.net", - "jti": "2b63663acbcafefa004d20969991c0b1f063c9be", - "ver": "1.0", - "x-ms-ver": "1.0", - "rp_data": "AQIDBA", - "nonce": "AQIDBA", - "cnf": { - "jwk": { - "kty": "RSA", - "n": "yZGC3-1rFZBt6n6vRHjRjvrOYlH69TftIQWOXiEHz__viQ_Z3qxWVa4TfrUxiQyDQnxJ8-f8tBRmlunMdFDIQWhnew_rc3-UYMUPNcTQ0IkrLBDG6qDjFFeEAMbn8gqr0rRWu_Qt7Cb_Cq1upoEBkv0RXk8yR6JXmFIvLuSdewGs-xCWlHhd5w3n1rVk0hjtRk9ZErlbPXt74E5l-ZZQUIyeYEZ1FmbivOIL-2f6NnKJ-cR4cdhEU8i9CH1YV0r578ry89nGvBJ5u4_3Ib9Ragdmxm259npH53hpnwf0I6V-_ZhGPyF6LBVUG_7x4CyxuHCU20uI0vXKXJNlbj1wsQ", - "e": "AQAB" - } - }, - "x-ms-policy-hash": "GiGQCTOylCohHt4rd3pEppD9arh5mXC3ifF1m1hONh0", - "WindowsDefenderElamDriverLoaded": true, - "bitlockerEnabled": true, - "bitlockerEnabledValue": 4, - "bootAppSvn": 1, - "bootDebuggingDisabled": true, - "bootMgrSvn": 1, - "bootRevListInfo": "gHWqR2F-1wEgAAAACwBxrZXHbaiuTuO0PSaJ7WQMF8yz37Z2ATgSNTTlRkwcTw", - "codeIntegrityEnabled": true, - "codeIntegrityPolicy": [ - "AAABAAAAAQBWAAsAIAAAAHsAOABmAGIANAA4ADYANQBlAC0AZQA5ADAAYgAtADQANAA0AGYALQBiADUAYgA1AC0AZQAyAGEAYQA1ADEAZAA4ADkAMABmAGQAfQAuAEMASQBQAAAAVnW86ERqAg5n9QT1UKFr-bOP2AlNtBaaHXjZODnNLlk", - "AAAAAAAACgBWAAsAIAAAAHsAYgBjADQAYgBmADYAZAA3AC0AYwBjADYAMAAtADQAMABmADAALQA4ADYANAA0AC0AMQBlADYANAA5ADEANgBmADgAMQA4ADMAfQAuAEMASQBQAAAAQ7vOXuAbBRIMglSSg7g_LHNeHoR4GrY-M-2W5MNvf0o", - "AAAAAAAACgBWAAsAIAAAAHsAYgAzADEAOAA5ADkAOQBhAC0AYgAxADMAZQAtADQANAA3ADUALQBiAGMAZgBkAC0AMQBiADEANgBlADMAMABlADYAMAAzADAAfQAuAEMASQBQAAAALTmwU3eadNtg0GyAyKIAkYed127RJCSgmfFmO1jN_aI", - "AAAAAAAACgBWAAsAIAAAAHsAZgBlADgAMgBkADUAOAA5AC0ANwA3AGQAMQAtADQAYwA3ADYALQA5AGEANABhAC0AZQA0ADUANQA0ADYAOAA4ADkANAAxAGIAfQAuAEMASQBQAAAA8HGUwA85gHN_ThItTYtu6sw657gVuOb4fOhYl-YJRoc", - "AACRVwAACgAmAAsAIAAAAEQAcgBpAHYAZQByAFMAaQBQAG8AbABpAGMAeQAuAHAANwBiAAAAYcVuY0HdW4Iqr5B-6Sl85kwIXRG9bqr43pVhkirg4qM" - ], - "depPolicy": 0, - "flightSigningNotEnabled": false, - "hvciEnabled": true, - "iommuEnabled": true, - "notSafeMode": true, - "notWinPE": true, - "osKernelDebuggingDisabled": true, - "osRevListInfo": "gHLuW2F-1wEgAAAACwDLyDTUQILjdz_RfNlShVgNYT9EghL7ceMReWg9TuwdKA", - "secureBootEnabled": true, - "testSigningDisabled": true, - "vbsEnabled": true - }.[Signature] -``` -
-
TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing.
+- **TPM (Trusted Platform Module)**: TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption, and signing. -**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+- **DHA (Device HealthAttestation) feature**: The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel. -**DHA-Enabled device (Device HealthAttestation enabled device)** -A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+- **DHA-Enabled device (Device HealthAttestation enabled device)**: A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0. -**DHA-Session (Device HealthAttestation session)** -The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+- **DHA-Session (Device HealthAttestation session)**: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. -The following list of transactions is performed in one DHA-Session:
--
-
- DHA-CSP and DHA-Service communication:
-
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service -
- DHA-Service replies with an encrypted data blob (DHA-EncBlob) -
+ The following list of transactions is performed in one DHA-Session:
- - DHA-CSP and MDM-Server communication:
-
- MDM-Server sends a device health verification request to DHA-CSP -
- DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob -
+ - DHA-CSP and DHA-Service communication:
+ - DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
+ - DHA-Service replies with an encrypted data blob (DHA-EncBlob)
- - MDM-Server and DHA-Service communication:
-
- MDM-Server posts data it receives from devices to DHA-Service -
- DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report) -
-
-DHA session data (Device HealthAttestation session data) -The following list of data is produced or consumed in one DHA-Transaction:
--
-
- DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. -
- DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. -
- DHA-SignedBlob: it is a signed snapshot of the current state of a device's runtime that is captured by DHA-CSP at device health attestation time. -
- DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts:
-
-
-
- DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service -
- DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP -
- - DHA-Report: the report that is issued by DHA-Service to MDM-Server -
- Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks -
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations is performed by DHA-Enabled-MDM
--
-
- Enables the DHA feature on a DHA-Enabled device -
- Issues device health attestation requests to enrolled/managed devices -
- Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification -
- Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action -
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device's TPM and firmware to measure critical security properties of the device's BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations is performed by DHA-CSP:
--
-
- Collects device boot data (DHA-BootData) from a managed device -
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) -
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device -
- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data) -
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+ - DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot, and TPM counters) that are required for validating device boot health. + - DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices. + - DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time. + - DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has two parts: -DHA-Service is available in two flavors: "DHA-Cloud" and "DHA-Server2016". DHA-Service supports various implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations is performed by DHA-Service:
+ - DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service + - DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP -- Receives device boot data (DHA-BootData) from a DHA-Enabled device
-- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
-- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
-- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
+ - DHA-Report: the report that is issued by DHA-Service to MDM-Server
+ - Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
-
+- **DHA-Enabled MDM (Device HealthAttestation enabled device management solution)**: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
- - Available in Windows for free -
- Running on a high-availability and geo-balanced cloud infrastructure -
- Supported by most DHA-Enabled device management solutions as the default device attestation service provider -
- Accessible to all enterprise-managed devices via following:
-
-
-
- FQDN = has.spserv.microsoft.com) port -
- Port = 443 -
- Protocol = TCP -
- - Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) -
- Hosted on an enterprise owned and managed server device/hardware -
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise-managed devices via following:
--
-
- FQDN = (enterprise assigned) -
- Port = (enterprise assigned) -
- Protocol = TCP -
-- Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service) -
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios -
Accessible to all enterprise-managed devices via following:
--
-
- FQDN = (enterprise assigned) -
- Port = (enterprise assigned) -
- Protocol = TCP -
-- Available in Windows for free
- Running on a high-availability and geo-balanced cloud infrastructure
- Supported by most DHA-Enabled device management solutions as the default device attestation service provider
- Accessible to all enterprise-managed devices via following:
- FQDN = has.spserv.microsoft.com port
- Port = 443
- Protocol = TCP|No cost
|
+|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises: - Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
- Hosted on an enterprise owned and managed server device/hardware
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
- Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
+|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. - Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
- Accessible to all enterprise-managed devices via following:
- FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
|
### CSP diagram and node descriptions
-
-The following shows the Device HealthAttestation configuration service provider in tree format.
-```
+The following shows the Device HealthAttestation configuration service provider in tree format.
+
+```console
./Vendor/MSFT
HealthAttestation
----VerifyHealth
@@ -637,20 +557,24 @@ HealthAttestation
----PreferredMaxProtocolVersion
----MaxSupportedProtocolVersion
```
+
**./Vendor/MSFT/HealthAttestation**
- - 1 means TPM specification version 1.2 -
- 2 means TPM specification version 2.0 -
- SxS (Tried to install when 2016 MSI is installed) -
- Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.) -
- Installation cancelled by user -
- Installation cancelled by another installation -
- Out of disk space during installation -
- Unknown language ID -
- Unknown SKUs -
- Content does't exist on CDN
-
- such as trying to install an unsupported LAP, like zh-sg -
- CDN issue that content is not available
- - Signature check issue, such as failed the signature check for Office content -
- User cancelled -
- SxS (Tried to install when 2016 MSI is installed)
- Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
+|17000|ERROR_PROCESSPOOL_INITIALIZATION
Failed to start C2RClient|Failure| +|17001|ERROR_QUEUE_SCENARIO
Failed to queue installation scenario in C2RClient|Failure| +|17002|ERROR_COMPLETING_SCENARIO
Failed to complete the process. Possible reasons: - Installation canceled by user
- Installation canceled by another installation
- Out of disk space during installation
- Unknown language ID|Failure|
+|17003|ERROR_ANOTHER_RUNNING_SCENARIO
Another scenario is running|Failure| +|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
Possible reasons: - Unknown SKUs
- Content does't exist on CDN
- Such as trying to install an unsupported LAP, like zh-sg
- CDN issue that content is not available
- Signature check issue, such as failed the signature check for Office content
- User canceled|Failure|
+|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
+|17006|ERROR_SCENARIO_CANCELLED
Blocked update by running apps|Failure| +|17007|ERROR_REMOVE_INSTALLATION_NEEDED
The client is requesting client clean-up in a "Remove Installation" scenario|Failure| +|17100|ERROR_HANDLING_COMMAND_LINE
C2RClient command-line error|Failure| +|0x80004005|E_FAIL
ODT cannot be used to install Volume license|Failure| +|0x8000ffff|E_UNEXPECTED
Tried to uninstall when there is no C2R Office on the machine.|Failure| diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 5e8ad6957f..893ac1e192 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -17,131 +17,21 @@ ms.date: 06/26/2017 The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). - -## In this topic - -- [OMA DM standards](#oma-dm-standards) - -- [OMA DM protocol common elements](#protocol-common-elements) - -- [Device management session](#device-management-session) - -- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration) - -- [SyncML response codes](#syncml-response-codes) - - ## OMA DM standards The following table shows the OMA DM standards that Windows uses. --
+|General area|OMA DM standard that is supported| +|--- |--- | +|Data transport and session|- - -- - - - - -General area -OMA DM standard that is supported -- -Data transport and session
-
-
Client-initiated remote HTTPS DM session over SSL.
-Remote HTTPS DM session over SSL.
-Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
-Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.
-
- -Bootstrap XML
-
-
OMA Client Provisioning XML.
-
- -DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
--
-
Add (Implicit Add supported)
-Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
-Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
-Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
-Exec: Invokes an executable on the client device
-Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
-Replace: Overwrites data on the client device
-Result: Returns the data results of a Get command to the DM server
-Sequence: Specifies the order in which a group of commands must be processed
-Status: Indicates the completion status (success or failure) of an operation
-
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:
--
-
SyncBody
-Atomic
-Sequence
-
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
-If Atomic elements are nested, the following status codes are returned:
--
-
The nested Atomic command returns 500.
-The parent Atomic command returns 507.
-
For more information about the Atomic command, see OMA DM protocol common elements.
-Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
-LocURI cannot start with "/".
-Meta XML tag in SyncHdr is ignored by the device.
- -OMA DM standard objects
-
-
DevInfo
-DevDetail
-OMA DM DMS account objects (OMA DM version 1.2)
-
- -Security
-
-
Authenticate DM server initiation notification SMS message (not used by enterprise management)
-Application layer Basic and MD5 client authentication
-Authenticate server with MD5 credential at application level
-Data integrity and authentication with HMAC at application level
-SSL level certificate based client/server authentication, encryption, and data integrity check
-
- -Nodes
In the OMA DM tree, the following rules apply for the node name:
--
-
"." can be part of the node name.
-The node name cannot be empty.
-The node name cannot be only the asterisk (*) character.
-
- -Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
-If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
--Note-To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
-- -- -WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
- - -Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
- Client-initiated remote HTTPS DM session over SSL.
- Remote HTTPS DM session over SSL.
- Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
- Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
+|Bootstrap XML|OMA Client Provisioning XML.|
+|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.
- Add (Implicit Add supported)
- Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
- Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.
- Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists
- Exec: Invokes an executable on the client device
- Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format
- Replace: Overwrites data on the client device
- Result: Returns the data results of a Get command to the DM server
- Sequence: Specifies the order in which a group of commands must be processed
- Status: Indicates the completion status (success or failure) of an operation
If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element: - SyncBody
- Atomic
- Sequence
If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.
If Atomic elements are nested, the following status codes are returned: - The nested Atomic command returns 500.
- The parent Atomic command returns 507.
For more information about the Atomic command, see OMA DM protocol common elements.
Performing an Add command followed by Replace on the same node within an Atomic element is not supported.
LocURI cannot start with `/`.
Meta XML tag in SyncHdr is ignored by the device.| +|OMA DM standard objects|DevInfo - DevDetail
- OMA DM DMS account objects (OMA DM version 1.2)| +|Security|
- Authenticate DM server initiation notification SMS message (not used by enterprise management)
- Application layer Basic and MD5 client authentication
- Authenticate server with MD5 credential at application level
- Data integrity and authentication with HMAC at application level
- SSL level certificate-based client/server authentication, encryption, and data integrity check|
+|Nodes|In the OMA DM tree, the following rules apply for the node name:
- "." can be part of the node name.
- The node name cannot be empty.
- The node name cannot be only the asterisk (*) character.|
+|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.**Note**| +|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.| +|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| @@ -149,99 +39,26 @@ The following table shows the OMA DM standards that Windows uses. Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -
To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.-
- +|Element|Description| +|--- |--- | +|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.| +|Cmd|Specifies the name of an OMA DM command referenced in a Status element.| +|CmdID|Specifies the unique identifier for an OMA DM command.| +|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.| +|Cred|Specifies the authentication credential for the originator of the message.| +|Final|Indicates that the current message is the last message in the package.| +|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.| +|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.| +|MsgID|Specifies a unique identifier for an OMA DM session message.| +|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| +|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.- - -- - - - - -Element -Description -- -Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
- -Cmd
Specifies the name of an OMA DM command referenced in a Status element.
- -CmdID
Specifies the unique identifier for an OMA DM command.
- -CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
- -Cred
Specifies the authentication credential for the originator of the message.
- -Final
Indicates that the current message is the last message in the package.
- -LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
- -LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
- -MsgID
Specifies a unique identifier for an OMA DM session message.
- -MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
- -RespURI
Specifies the URI that the recipient must use when sending a response to this message.
- -SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
--Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. --- -- -Source
Specifies the message source address.
- -SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
- -Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
- -TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
- -VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
- - -VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
**Note**| +|Source|Specifies the message source address.| +|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| +|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| +|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.| +|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.| +|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.| ## Device management session @@ -255,56 +72,25 @@ A DM session can be divided into two phases: 1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. 2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. -The following table shows the sequence of events during a typical DM session. +The following information shows the sequence of events during a typical DM session. -
If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.-
+1. DM client is invoked to call back to the management server- - -- - - - - - -Step -Action -Description -- -1
DM client is invoked to call back to the management server
-Enterprise scenario – The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
-The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
-Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
- -2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
- -3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
- -4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
- - -5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
Enterprise scenario – The device task schedule invokes the DM client. + The MO server sends a server trigger message to invoke the DM client. + The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. -The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). +2. The device sends a message, over an IP connection, to initiate the session. + + This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. + +3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. + +4. The device responds to server management commands. This message includes the results of performing the specified device management operations. + +5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. + +The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. @@ -319,24 +105,24 @@ For CSPs and policies that support per user configuration, the MDM server can se The data part of this alert could be one of following strings: -- user – the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration -- others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device. -- none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login). +- User – the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration +- Others – another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device. +- None – no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login). Below is an alert example: -``` +```xml- +1 - 1224 -- - -
-com.microsoft/MDM/LoginStatus -chr - - user -1 + 1224 +- + +
+ ``` The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. @@ -351,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. -| Status code | Description | -|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 200 | The SyncML command completed successfully. | -| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | +| Status code | Description | +|---|----| +| 200 | The SyncML command completed successfully. | +| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | | 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | -| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. | -| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | -| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | -| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | -| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | -| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | -| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | -| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | -| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | -| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | -| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | -| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | +| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | +| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | +| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | +| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | +| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | +| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | +| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | +| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | +| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | +| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | +| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | | 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | -| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | -| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | - - +| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | +| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index c3d8c37963..b1b74f16be 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -38,33 +38,13 @@ manager: dansimp **AboveLock/AllowCortanaAboveLock** -com.microsoft/MDM/LoginStatus +chr + + user +-
+|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -105,28 +85,13 @@ The following list shows the supported values: **AboveLock/AllowToasts** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes, starting in Windows 10, version 1607|Yes| +|Enterprise|Yes, starting in Windows 10, version 1607|Yes| +|Education|Yes, starting in Windows 10, version 1607|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No No -- -Pro -Yes, starting in Windows 10, version 1607 Yes -- -Enterprise -Yes, starting in Windows 10, version 1607 Yes -- Education -Yes, starting in Windows 10, version 1607 Yes -
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ed466fe64a..795f89e92c 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -40,43 +40,15 @@ manager: dansimp **Accounts/AllowAddingNonMicrosoftAccountsManually** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
@@ -114,48 +86,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountConnection** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Business -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
@@ -190,48 +130,16 @@ The following list shows the supported values: **Accounts/AllowMicrosoftAccountSignInAssistant** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +|Mobile|Yes|Yes| +|Mobile Enterprise|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Business -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -- -Mobile -Yes -Yes -- -Mobile Enterprise -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 95c9e7d80b..60248d3ecc 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -40,31 +40,13 @@ manager: dansimp **ActiveXControls/ApprovedInstallationSites** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index c574952e31..0b63ffc56d 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -40,31 +40,14 @@ manager: dansimp **ADMX_ActiveXInstallService/AxISURLZonePolicies** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index dfb1da857f..de3506d5e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -70,20 +70,10 @@ manager: dansimp **ADMX_AddRemovePrograms/DefaultCategory** --
+|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -
@@ -135,34 +125,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromCDorFloppy** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business||| +|Enterprise|Yes|Yes| +|Education|||- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -- -Enterprise -Yes -Yes -- -Education -
@@ -212,38 +182,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromInternet** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -294,38 +240,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddFromNetwork** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -377,38 +299,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -456,38 +354,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoAddRemovePrograms** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -535,38 +409,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoChooseProgramsPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -615,37 +465,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoRemovePage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -693,38 +520,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoServices** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -775,38 +578,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoSupportInfo** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -856,38 +635,14 @@ ADMX Info: **ADMX_AddRemovePrograms/NoWindowsSetupPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index 19b22053f4..dbb231d5c5 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -49,31 +49,13 @@ manager: dansimp **ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -109,31 +91,13 @@ ADMX Info: **ADMX_AdmPwd/POL_AdmPwd_Enabled** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -172,31 +136,13 @@ ADMX Info: **ADMX_AdmPwd/POL_AdmPwd_AdminName** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -235,31 +181,13 @@ ADMX Info: **ADMX_AdmPwd/POL_AdmPwd** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 110c13b38f..c25bbf261a 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -72,36 +72,14 @@ manager: dansimp **ADMX_AppCompat/AppCompatPrevent16BitMach** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -147,38 +125,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -218,38 +172,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -293,38 +223,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffSwitchBack** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -369,37 +275,13 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffEngine** --
+|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -446,38 +328,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -513,38 +371,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -587,38 +421,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffUserActionRecord** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -660,38 +470,14 @@ ADMX Info: **ADMX_AppCompat/AppCompatTurnOffProgramInventory** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 4e924cb2a7..b3a9d9197f 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -39,38 +39,14 @@ manager: dansimp **ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 74860dbb38..7440cfbb70 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -48,37 +48,14 @@ manager: dansimp **ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- Education -Yes -Yes -
@@ -117,38 +94,14 @@ ADMX Info: **ADMX_AppXRuntime/AppxRuntimeBlockFileElevation** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -187,38 +140,14 @@ ADMX Info: **ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -259,38 +188,14 @@ ADMX Info: **ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index 9ddc5dc7bc..60757b10f3 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -51,38 +51,14 @@ manager: dansimp **ADMX_AttachmentManager/AM_EstimateFileHandlerRisk** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -126,37 +102,14 @@ ADMX Info: **ADMX_AttachmentManager/AM_SetFileRiskLevel** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes- -Edition -Windows 10 -Windows 11 -- Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -202,38 +155,14 @@ ADMX Info: **ADMX_AttachmentManager/AM_SetHighRiskInclusion** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -273,38 +202,14 @@ ADMX Info: **ADMX_AttachmentManager/AM_SetLowRiskInclusion** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -344,38 +249,14 @@ ADMX Info: **ADMX_AttachmentManager/AM_SetModRiskInclusion** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index 5e4ce66ca3..4ade562c8f 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -39,38 +39,14 @@ manager: dansimp **ADMX_AuditSettings/IncludeCmdLine** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index db5b7fc71f..f14750b59c 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -78,38 +78,14 @@ manager: dansimp **ADMX_Bits/BITS_DisableBranchCache** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -150,38 +126,14 @@ ADMX Info: **ADMX_Bits/BITS_DisablePeercachingClient** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -223,38 +175,14 @@ ADMX Info: **ADMX_Bits/BITS_DisablePeercachingServer** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -297,38 +225,14 @@ ADMX Info: **ADMX_Bits/BITS_EnablePeercaching** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -370,38 +274,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxBandwidthServedForPeers** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -446,38 +326,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxBandwidthV2_Maintenance** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -521,38 +377,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxBandwidthV2_Work** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -593,38 +425,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxCacheSize** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -665,38 +473,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxContentAge** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -737,38 +521,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxDownloadTime** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -811,38 +571,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxFilesPerJob** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -884,38 +620,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxJobsPerMachine** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -957,38 +669,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxJobsPerUser** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -1030,38 +718,14 @@ ADMX Info: **ADMX_Bits/BITS_MaxRangesPerFile** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 514efdce81..1aafb0d27a 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -42,38 +42,14 @@ manager: dansimp **ADMX_CipherSuiteOrder/SSLCipherSuiteOrder** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -116,38 +92,14 @@ ADMX Info: **ADMX_CipherSuiteOrder/SSLCurveOrder** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index abac5580d8..6ddb16921c 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -42,38 +42,14 @@ manager: dansimp **ADMX_COM/AppMgmt_COM_SearchForCLSID_1** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -118,38 +94,14 @@ ADMX Info: **ADMX_COM/AppMgmt_COM_SearchForCLSID_2** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index bdd6e7f313..fd6ce7faed 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -48,38 +48,14 @@ manager: dansimp **ADMX_ControlPanel/DisallowCpls** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -126,38 +102,14 @@ ADMX Info: **ADMX_ControlPanel/ForceClassicControlPanel** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -201,38 +153,14 @@ ADMX Info: **ADMX_ControlPanel/NoControlPanel** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -283,42 +211,14 @@ ADMX Info: **ADMX_ControlPanel/RestrictCpls** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index 644cc93fd2..8005489dba 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -108,38 +108,14 @@ manager: dansimp **ADMX_ControlPanelDisplay/CPL_Display_Disable** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -No -No -- -Business -No -No -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -178,43 +154,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Display_HideSettings** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -251,44 +198,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 - -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -328,43 +245,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -405,43 +293,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -479,43 +338,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -557,43 +387,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -636,43 +437,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -710,43 +482,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -784,43 +527,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -862,43 +576,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 - - - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -938,43 +623,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1018,43 +674,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1094,43 +721,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1168,43 +766,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1242,43 +811,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1314,43 +854,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1388,43 +899,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1462,43 +944,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1543,42 +996,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1626,43 +1051,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1707,43 +1103,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1781,43 +1148,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -1864,43 +1202,14 @@ ADMX Info: **ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 71ba7fb9c0..4e1d864337 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -39,43 +39,14 @@ manager: dansimp **ADMX_Cpls/UseDefaultTile** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 92d2b7cfc2..e7951df443 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -45,43 +45,15 @@ manager: dansimp **ADMX_CredentialProviders/AllowDomainDelayLock** --
+ + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 - - - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -124,43 +96,14 @@ ADMX Info: **ADMX_CredentialProviders/DefaultCredentialProvider** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -202,43 +145,14 @@ ADMX Info: **ADMX_CredentialProviders/ExcludedCredentialProviders** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 2c66db1203..cb4c42d7af 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -69,42 +69,14 @@ manager: dansimp **ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -154,43 +126,14 @@ ADMX Info: **ADMX_CredSsp/AllowDefaultCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -244,43 +187,14 @@ ADMX Info: **ADMX_CredSsp/AllowEncryptionOracle** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -329,43 +243,14 @@ ADMX Info: **ADMX_CredSsp/AllowFreshCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -416,43 +301,14 @@ ADMX Info: **ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -503,43 +359,14 @@ ADMX Info: **ADMX_CredSsp/AllowSavedCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -590,43 +417,14 @@ ADMX Info: **ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -677,43 +475,14 @@ ADMX Info: **ADMX_CredSsp/DenyDefaultCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -762,43 +531,14 @@ ADMX Info: **ADMX_CredSsp/DenyFreshCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -847,43 +587,14 @@ ADMX Info: **ADMX_CredSsp/DenySavedCredentials** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -932,43 +643,14 @@ ADMX Info: **ADMX_CredSsp/RestrictedRemoteAdministration** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index b6e48f936c..31ef959ed4 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -42,43 +42,14 @@ manager: dansimp **ADMX_CredUI/EnableSecureCredentialPrompting** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
@@ -119,43 +90,14 @@ ADMX Info: **ADMX_CredUI/NoLocalPasswordResetQuestions** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- - -Home -No -No -- - -Pro -No -No -- - -Business -No -No -- - -Enterprise -Yes -Yes -- - -Education -Yes -Yes -
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 79a75e5fb3..bbbcfee611 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1188,12 +1188,12 @@ The following list shows the supported values:Home No -No +Yes Pro No -No +Yes Business @@ -1234,6 +1234,9 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not - 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings. - 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings. +> [!NOTE] +> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts. + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 65fb6facfd..be84a95bca 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 11/11/2021 ms.reviewer: manager: dansimp --- @@ -1080,9 +1080,10 @@ GP Info: -This security setting determines which service accounts are prevented from registering a process as a service. +This security setting determines which users are prevented from logging on to the computer. This policy setting supersedes the **Allow log on locally** policy setting if an account is subject to both policies. + > [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. +> If you apply this security policy to the **Everyone** group, no one will be able to log on locally. diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index ad67b668bb..147c460f3b 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -295,7 +295,7 @@ SurfaceHubThe data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace. diff --git a/windows/deployment/deploy-windows-mdt/TOC.yml b/windows/deployment/deploy-windows-mdt/TOC.yml index 3f4a5f1d0d..51493a1083 100644 --- a/windows/deployment/deploy-windows-mdt/TOC.yml +++ b/windows/deployment/deploy-windows-mdt/TOC.yml @@ -1,23 +1,23 @@ -- name: Deploy Windows 11 with the Microsoft Deployment Toolkit (MDT) +- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) items: - name: Get started with MDT href: get-started-with-the-microsoft-deployment-toolkit.md - - name: Deploy Windows 11 with MDT + - name: Deploy Windows 10 with MDT items: - name: Prepare for deployment with MDT href: prepare-for-windows-deployment-with-mdt.md - - name: Create a Windows 11 reference image - href: create-a-windows-11-reference-image.md - - name: Deploy a Windows 11 image using MDT - href: deploy-a-windows-11-image-using-mdt.md - - name: Build a distributed environment for Windows 11 deployment - href: build-a-distributed-environment-for-windows-deployment.md - - name: Refresh a Windows 10 computer with Windows 11 - href: refresh-a-windows-10-computer-with-windows-11.md - - name: Replace a Windows 10 computer with a Windows 11 computer - href: replace-a-windows-10-computer-with-a-windows-11-computer.md - - name: Perform an in-place upgrade to Windows 11 with MDT - href: upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md + - name: Create a Windows 10 reference image + href: create-a-windows-10-reference-image.md + - name: Deploy a Windows 10 image using MDT + href: deploy-a-windows-10-image-using-mdt.md + - name: Build a distributed environment for Windows 10 deployment + href: build-a-distributed-environment-for-windows-10-deployment.md + - name: Refresh a Windows 7 computer with Windows 10 + href: refresh-a-windows-7-computer-with-windows-10.md + - name: Replace a Windows 7 computer with a Windows 10 computer + href: replace-a-windows-7-computer-with-a-windows-10-computer.md + - name: Perform an in-place upgrade to Windows 10 with MDT + href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md - name: Customize MDT items: - name: Configure MDT settings @@ -28,10 +28,10 @@ href: configure-mdt-deployment-share-rules.md - name: Configure MDT for UserExit scripts href: configure-mdt-for-userexit-scripts.md - - name: Simulate a Windows 11 deployment in a test environment - href: simulate-a-windows-11-deployment-in-a-test-environment.md - - name: Use the MDT database to stage Windows deployment information - href: use-the-mdt-database-to-stage-windows-deployment-information.md + - name: Simulate a Windows 10 deployment in a test environment + href: simulate-a-windows-10-deployment-in-a-test-environment.md + - name: Use the MDT database to stage Windows 10 deployment information + href: use-the-mdt-database-to-stage-windows-10-deployment-information.md - name: Assign applications using roles in MDT href: assign-applications-using-roles-in-mdt.md - name: Use web services in MDT diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index 21bf379b8e..453515a466 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -18,10 +18,6 @@ ms.topic: article # Assign applications using roles in MDT -**Applies to** -- Windows 10 -- Windows 11 - This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. ## Create and assign a role entry in the database diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md similarity index 85% rename from windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md rename to windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index b47530ab45..c05e2b7c67 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,12 +1,12 @@ --- -title: Build a distributed environment for Windows 11 deployment (Windows 11) -description: In this topic, you will learn how to replicate your Windows 11 deployment shares to facilitate the deployment of Windows 11 in remote or branch locations. +title: Build a distributed environment for Windows 10 deployment (Windows 10) +description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c ms.reviewer: manager: dougeby ms.author: greglin keywords: replication, replicate, deploy, configure, remote -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,13 +16,12 @@ author: greg-lindsay ms.topic: article --- -# Build a distributed environment for Windows 11 deployment +# Build a distributed environment for Windows 10 deployment **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 -Perform the steps in this article to build a distributed environment for Windows 11 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. +Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments. Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. @@ -32,7 +31,7 @@ For the purposes of this article, we assume that MDT02 is prepared with the same Computers used in this topic. -> HV01 is also used in this topic to host the PC0006 virtual machine. +>HV01 is also used in this topic to host the PC0006 virtual machine. ## Replicate deployment shares @@ -63,7 +62,7 @@ On **MDT01**: Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools ``` -2. Wait for installation to comlete, and then verify that the installation was successful. See the following output: +2. Wait for installation to complete, and then verify that the installation was successful. See the following output: ```output PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools @@ -83,7 +82,7 @@ On **MDT02**: Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools ``` -2. Wait for installation to comlete, and then verify that the installation was successful. See the following output: +2. Wait for installation to complete, and then verify that the installation was successful. See the following output: ```output PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools @@ -120,7 +119,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the default gateway of client devices in your locations (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. ```ini [Settings] @@ -142,8 +141,8 @@ On **MDT01**: UserPassword=pass@word1 SkipBDDWelcome=YES ``` - > [!NOTE] - > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md) and [Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md). + >[!NOTE] + >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes. @@ -154,8 +153,8 @@ On **MDT01**: Replacing the updated boot image in WDS. - > [!TIP] - > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. + >[!TIP] + >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console. ## Replicate the content @@ -228,7 +227,7 @@ On **MDT02**: The DFS Replication Health Report. -> If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. +>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**. ## Configure Windows Deployment Services (WDS) in a remote site @@ -251,19 +250,21 @@ Now you should have a solution ready for deploying the Windows 10 client to the 6. Install an operating system from a network-based installation server 2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server. 3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings: - 1. Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader 4. Setup will now start and perform the following: - 1. Install the Windows 11 Enterprise operating system. + 1. Install the Windows 10 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. + + ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
-[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
-[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)
-[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 187f8fb4cc..0fb4725b6b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -18,10 +18,6 @@ ms.topic: article # Configure MDT deployment share rules -**Applies to** -- Windows 10 -- Windows 11 - In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 22a7921c84..342cec9742 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -18,10 +18,6 @@ ms.topic: article # Configure MDT for UserExit scripts -**Applies to** -- Windows 10 -- Windows 11 - In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. ## Configure the rules to call a UserExit script diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index 05f03ea220..731550645c 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -18,10 +18,6 @@ ms.topic: article # Configure MDT settings -**Applies to** -- Windows 10 -- Windows 11 - One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md similarity index 81% rename from windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md rename to windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index a548b5c748..9dd26e0e66 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -1,12 +1,12 @@ --- -title: Create a Windows 11 reference image (Windows 11) +title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa ms.reviewer: manager: dougeby ms.author: greglin keywords: deploy, deployment, configure, customize, install, installation -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,25 +16,22 @@ author: greg-lindsay ms.topic: article --- -# Create a Windows 11 reference image +# Create a Windows 10 reference image **Applies to** - Windows 10 -- Windows 11 -In this topic, you will learn how to create a Windows 11 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 11 reference image. After completing the steps outlined in this topic, you will have a Windows 11 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. -All procedures in this article can also be used to create a Windows 10 reference image by using Windows 10 media instead of Windows 11 media in the [Add setup files](#add-setup-files) section below. - -> [!NOTE] -> This guide assumes that you have already installed and configured deployment tools. See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information. +>[!NOTE] +>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. -  +  Computers used in this topic. @@ -48,20 +45,19 @@ The reference image described in this guide is designed primarily for deployment ## Set up the MDT build lab deployment share -With Windows 10 and Windows 11, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 11 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin the console to the taskbar for easy access. - - If it is your first time starting the console, search for **Deployment Workbench**. +- Start the MDT deployment workbench, and pin this to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** - Share name: **MDTBuildLab$** - - Descriptive name: **MDT Build Lab** + - Deployment share description: **MDT Build Lab** - Accept the default selections on the Options page and click **Next**. - Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**. - Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. @@ -72,7 +68,7 @@ On **MDT01**: ### Enable monitoring -To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share in the Deployment Workbench, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. +To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional. ### Configure permissions for the deployment share @@ -90,41 +86,34 @@ On **MDT01**: ## Add setup files -This section will show you how to populate the MDT deployment share with the Windows 11 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. +This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. -### Add the Windows 11 installation files +### Add the Windows 10 installation files -MDT supports adding both full source Windows 11 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. -> [!NOTE] -> Windows 11 media is pre-release as of the date this article was last updated. To obtain Windows 11 pre-release media, join the Windows Insider program and visit [Windows Insider Preview Downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewiso).
-> The build selected in this example is **Windows 11 Insider Preview Enterprise (Dev Channel) - Build 22454**. +>[!NOTE] +>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. -### Add Windows 11 Enterprise x64 (full source) +### Add Windows 10 Enterprise x64 (full source) On **MDT01**: -1. Sign in as **contoso\\administrator** and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD. +1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.  2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**. -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**. -4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - Full set of source files - Source directory: (location of your source files) - - Destination directory name: W11EX64 - - > [!NOTE] - > Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W11EX64 rather than a more descriptive name like Windows 11 Enterprise x64.
- > Depending on the DVD or ISO you used, there might be multiple editions added by the import process. For the purposes of this guide, we are using the Windows 11 Enterprise image, but other images will also work. In the example shown, editions that will not be used are deleted from the list. - -5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**. See the following example. + - Destination directory name: W10EX64RTM +5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.  - > [!NOTE] - > The pre-release version of Windows 11 used here has "Windows 10" in the description. You can ignore this. +>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work. ## Add applications @@ -308,7 +297,7 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 11 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 11 reference image. +In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. ### Drivers and the reference image @@ -317,31 +306,31 @@ Because we use modern virtual platforms for creating our reference images, we do ### Create a task sequence for Windows 10 Enterprise -To create a Windows 11 reference image task sequence, the process is as follows: +To create a Windows 10 reference image task sequence, the process is as follows: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 11**. -2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: REFW11X64-001 - 2. Task sequence name: Windows 11 Enterprise x64 Default Image +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: REFW10X64-001 + 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 11 Enterprise x64 Default Image + 5. Select OS: Windows 10 Enterprise x64 RTM Default Image 6. Specify Product Key: Do not specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso - 9. Internet Explorer home page: https://www.contoso.com + 9. Internet Explorer home page: http://www.contoso.com 10. Admin Password: Do not specify an Administrator Password at this time -### Edit the Windows 11 task sequence +### Edit the Windows 10 task sequence The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64. On **MDT01**: -1. In the **Task Sequences / Windows 11** folder, right-click the **Windows 11 Enterprise x64 Default Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the Windows 11 Enterprise x64 Default Image task sequence with the following settings: +1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**. +2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings: 1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box. 2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action. @@ -351,7 +340,7 @@ On **MDT01**: - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. 5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings: 1. Name: Install - Microsoft NET Framework 3.5.1 - 2. Select the operating system for which roles are to be installed: Windows 10 (this also works for Windows 11) + 2. Select the operating system for which roles are to be installed: Windows 10 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] @@ -364,7 +353,7 @@ On **MDT01**: 6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings: 1. Name: Microsoft Visual C++ Redistributable 2019 - x86 2. Install a Single Application: browse to **Install - MSVC 2019 - x86** - 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus - x64 as well. + 7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well. 3. Click **OK**.  @@ -396,18 +385,26 @@ Follow these steps to configure Internet Explorer settings in Unattend.xml for t On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 11 Enterprise x64 Default Image** task sequence and select **Properties**. +1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. 2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. + + > [!IMPORTANT] + > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: + > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144. + > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe). + > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). + > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml. + 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry. 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true -5. Save the Answer File, and close Windows SIM. - - Note: If validation errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. -6. On the Windows 11 Enterprise x64 Default Image Properties, click **OK**. +5. Save the Unattend.xml file, and close Windows SIM. + - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. +6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.  - Windows System Image Manager with the Windows 11 Unattend.xml. + Windows System Image Manager with the Windows 10 Unattend.xml. ## Configure the MDT deployment share rules @@ -478,7 +475,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word1) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -609,11 +606,11 @@ SkipFinalSummary=YES - **SkipCapture.** Skips the Capture pane. - **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down. -## Build the Windows 11 reference image +## Build the Windows 10 reference image As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. -Once you have created your task sequence, you are ready to create the Windows 11 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -624,67 +621,56 @@ The steps below outline the process used to boot a virtual machine using an ISO On **HV01**: 2. Create a new virtual machine with the following settings: - 1. Name: REFW11X64-001 + 1. Name: REFW10X64-001 2. Store the virtual machine in a different location: C:\VM 3. Generation 1 4. Memory: 1024 MB 5. Network: Must be able to connect to \\MDT01\MDTBuildLab$ 7. Hard disk: 60 GB (dynamic disk) 8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso -1. Before you start the VM, add a checkpoint for REFW11X64-001, and name it **Clean with MDT Build Lab x86 ISO**. +1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**. **Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean. -4. Start the REFW11X64-001 virtual machine and connect to it. +4. Start the REFW10X64-001 virtual machine and connect to it. - > [!IMPORTANT] - > Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW11X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share, and optionally the WSUS server on your network. A connection to the Internet is also used to download and updates during the image creation process. In the current scenario, this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, with a 10.10.10.1 gateway, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11, and also connect to external networks.
- > If you receive a message that "A connection to the deployment share could not be made, check that the DHCP service is available to the REFW11X64-001 VM, and it has been issued a valid IP address lease (check your DHCP server). + **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. -5. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: - - Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Default Image - - Specify whether to capture an image: Capture an image of this reference computer - - Location: \\\\MDT01\\MDTBuildLab$\\Captures - - File name: REFW11X64-001.wim + After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: + 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image + 2. Specify whether to capture an image: Capture an image of this reference computer + - Location: \\\\MDT01\\MDTBuildLab$\\Captures + 3. File name: REFW10X64-001.wim -  +  - The Windows Deployment Wizard for the Windows 11 reference image. + The Windows Deployment Wizard for the Windows 10 reference image. -The image creation process starts and does the following: - 1. Installs the Windows 11 Enterprise operating system. - 2. Installs the added applications, roles, and features. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server (if provisioned). - 4. Stages Windows PE on the local disk. - 5. Runs System Preparation (Sysprep) and reboots into Windows PE. - 6. Captures the installation to a Windows Imaging (WIM) file. - 7. Turns off the virtual machine. +5. The setup now starts and does the following: + 1. Installs the Windows 10 Enterprise operating system. + 2. Installs the added applications, roles, and features. + 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. + 4. Stages Windows PE on the local disk. + 5. Runs System Preparation (Sysprep) and reboots into Windows PE. + 6. Captures the installation to a Windows Imaging (WIM) file. + 7. Turns off the virtual machine. -After some time (30-90 minutes depending on resources available), you will have a Windows 11 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is **REFW11X64-001.wim**. +After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.  ## Troubleshooting +> [!IMPORTANT] +> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This + If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.  -If monitoring is not working, check that http://localhost:9801/MDTMonitorData/ loads on MDT01, and try turning monitoring off and on again. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. An example is shown below. - -```cmd -X:\>net use G: \\mdt01\c$\tmp /user:contoso\administrator pass@word1 -The command completed successfully. - -X:\>copy X:\MININT\SMSOSD\OSDLOGS\*.log G: - 6 files copied. -X:\>copp X:\Windows\Temp\SMSTSLog\smsts.log G: - 1 file copied. -``` - -If you have trouble connecting to the deployment share, verify that your DHCP server (DC01 in this lab) has issued a lease to the VM. The DHCP client name will be something like minint-p1st75s.contoso.com. +After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md similarity index 88% rename from windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md rename to windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 435f937e56..9d20892e07 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -1,12 +1,12 @@ --- -title: Deploy a Windows 11 image using MDT (Windows 11) -description: This topic will show you how to take your reference image for Windows 11, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +title: Deploy a Windows 10 image using MDT (Windows 10) +description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c ms.reviewer: manager: dougeby ms.author: greglin keywords: deployment, automate, tools, configure -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,13 +16,12 @@ author: greg-lindsay ms.topic: article --- -# Deploy a Windows 11 image using MDT +# Deploy a Windows 10 image using MDT **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 -This topic will show you how to take your reference image for Windows 11 [that was just created](create-a-windows-11-reference-image.md), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. @@ -31,7 +30,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 an - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 11 +- PC0005 is a blank device to which we will deploy Windows 10 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -90,8 +89,11 @@ The steps for creating the deployment share for production are the same as when 1. Ensure you are signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. + 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. + 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. + 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. @@ -111,22 +113,26 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 11. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10/11 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. -### Add the Windows 11 Enterprise x64 custom image +### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) topic, so you have a Windows 11 reference image at **D:\\MDTBuildLab\\Captures\REFW11X64-001.wim** on MDT01. +In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. -1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 11**. +1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. -3. On the **OS Type** page, select **Custom image file** and click **Next**. -4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW11X64-001.wim** and click **Next**. -5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W11EX64** and click **Next**. -6. On the **Destination** page, in the **Destination directory name** text box, type **W11EX64**, click **Next** twice, and then click **Finish**. -7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 11** node and change the name to **Windows 11 Enterprise x64 Custom Image**. -> [!NOTE] -> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT now uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. +3. On the **OS Type** page, select **Custom image file** and click **Next**. + +4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. + +5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. + +6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. +7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. + +>[!NOTE] +>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.  @@ -139,15 +145,21 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100720091_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100720091_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. + 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. + 6. On the **Application Type** page, select the **Application with source files** option and click **Next**. + 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**. + 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**. + 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. + 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.  @@ -156,10 +168,7 @@ On **MDT01**: ## Step 5: Prepare the drivers repository -> [!IMPORTANT] -> The section below on preparing the drivers repository uses Windows 10-compatible devices and drivers as examples. These examples do not infer Windows 11 compatibility. Check with your device manufacturer before deploying drivers, and verify that the device meets Windows 11 hardware requirements. For more information, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements). - -In order to deploy Windows 10 or Windows 11 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: +In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: - Lenovo ThinkPad T420 - Dell Latitude 7390 - HP EliteBook 8560w @@ -167,8 +176,8 @@ In order to deploy Windows 10 or Windows 11 with MDT successfully, you need dri For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. -> [!NOTE] -> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. +>[!NOTE] +>You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. ### Create the driver source structure in the file system @@ -183,8 +192,8 @@ On **MDT01**: 2. In the **D:\\drivers** folder, create the following folder structure: 1. WinPE x86 2. WinPE x64 - 3. Windows 11 x64 -3. In the new Windows 11 x64 folder, create the following folder structure: + 3. Windows 10 x64 +3. In the new Windows 10 x64 folder, create the following folder structure: - Dell Inc. - Latitude E7450 - Hewlett-Packard @@ -204,8 +213,8 @@ When you import drivers to the MDT driver repository, MDT creates a single insta 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 2. WinPE x64 - 3. Windows 11 x64 -3. In the **Windows 11 x64** folder, create the following folder structure: + 3. Windows 10 x64 +3. In the **Windows 10 x64** folder, create the following folder structure: - Dell Inc. - Latitude E7450 - Hewlett-Packard @@ -236,28 +245,32 @@ The Out-of-Box Drivers structure in the Deployment Workbench. ### Create the selection profiles for boot image drivers By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles. -The drivers that are used for the boot images (Windows PE) are Windows 11 drivers. If you can’t locate Windows 11 drivers for your device, a Windows 10, Windows 8.1 or Windows 7 driver will most likely work, but Windows 11 drivers should be your first choice. +The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice. On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. 2. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: **WinPE x86** + 1. Selection Profile name: WinPE x86 2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers. 3. Click **Next**, **Next** and **Finish**. 3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. 4. In the New Selection Profile Wizard, create a selection profile with the following settings: - 1. Selection Profile name: **WinPE x64** + 1. Selection Profile name: WinPE x64 2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers. 3. Click **Next**, **Next** and **Finish**. +  + + Creating the WinPE x64 selection profile. + ### Extract and import drivers for the x64 boot image Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: -1. Download **PROWinx64.exe** from Intel.com (ex: [Intel® Network Adapter Driver](https://www.intel.com/content/www/us/en/download/16765/intel-network-adapter-driver-for-windows-8-final-release.html)). +1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). 2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. 3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. @@ -279,11 +292,11 @@ In this example, we assume you have downloaded and extracted the drivers using T On **MDT01**: -1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Lenovo** node. +1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. 2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 11 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** + **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. @@ -295,29 +308,29 @@ In these steps, we assume you have downloaded and extracted the CAB file for the On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Dell Inc.** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node. 2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 11 x64\\Dell Inc.\\Latitude E7450** + **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450** ### For the HP EliteBook 8560w For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: -1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Hewlett-Packard** node. +1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. 2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w** + **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -325,40 +338,40 @@ On **MDT01**: 2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: - **D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop** + **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 11 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. -### Create a task sequence for Windows 11 Enterprise +### Create a task sequence for Windows 10 Enterprise On **MDT01**: -1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 11**. +1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. -2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W11-X64-001 - - Task sequence name: Windows 11 Enterprise x64 Custom Image +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - Task sequence comments: Production Image - Template: Standard Client Task Sequence - - Select OS: Windows 11 Enterprise x64 Custom Image + - Select OS: Windows 10 Enterprise x64 RTM Custom Image - Specify Product Key: Do not specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: https://www.contoso.com - Admin Password: Do not specify an Administrator Password at this time -### Edit the Windows 11 task sequence +### Edit the Windows 10 task sequence -1. Continuing from the previous procedure, right-click the **Windows 11 Enterprise x64 Custom Image** task sequence, and select **Properties**. +1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the **Windows 11 Enterprise x64 Custom Image** task sequence with the following settings: +2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: 1. Name: Set DriverGroup001 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 11 x64\\%Manufacturer%\\%Model% + 3. Value: Windows 10 x64\\%Manufacturer%\\%Model% 2. Configure the **Inject Drivers** action with the following settings: - Choose a selection profile: Nothing @@ -473,7 +486,7 @@ On **MDT01**: 11. Click **OK**. >[!NOTE] - >It might take a while for the Deployment Workbench to create the monitoring database and web service. + >It will take a while for the Deployment Workbench to create the monitoring database and web service.  @@ -604,13 +617,13 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee >[!NOTE] >The update process will take 5 to 10 minutes. -## Step 8: Deploy the Windows 11 client image +## Step 8: Deploy the Windows 10 client image These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. ### Configure Windows Deployment Services -You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-wds) article. +You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article. On **MDT01**: @@ -624,7 +637,7 @@ On **MDT01**: The boot image added to the WDS console. -### Deploy the Windows 11 client +### Deploy the Windows 10 client At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: @@ -654,9 +667,9 @@ On **HV01**: 4. Setup now begins and does the following: - - Installs the Windows 11 Enterprise operating system. + - Installs the Windows 10 Enterprise operating system. - Installs the added application. - - Updates the operating system via your local Windows Server Update Services (WSUS) server (if configured). + - Updates the operating system via your local Windows Server Update Services (WSUS) server.  @@ -714,9 +727,9 @@ On **MDT01**: The newly created multicast namespace. -## Use offline media to deploy Windows 11 +## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 11. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. @@ -735,10 +748,10 @@ On **MDT01**: - Folders - Applications / Adobe - - Operating Systems / Windows 11 + - Operating Systems / Windows 10 - Out-Of-Box Drivers / WinPE x64 - - Out-Of-Box Drivers / Windows 11 x64 - - Task Sequences / Windows 11 + - Out-Of-Box Drivers / Windows 10 x64 + - Task Sequences / Windows 10  @@ -756,7 +769,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 3. Use the following settings for the New Media Wizard: - General Settings - Media path: **D:\\MDTOfflineMedia** - - Selection profile: **Windows 11 Offline Media** + - Selection profile: **Windows 10 Offline Media** ### Configure the offline media @@ -770,7 +783,7 @@ On **MDT01**: 3. In the **General** tab, configure the following: - Clear the Generate x86 boot image check box. - - ISO file name: Windows 11 Offline Media.iso + - ISO file name: Windows 10 Offline Media.iso 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. @@ -803,10 +816,15 @@ The ISO that you got when updating the offline media item can be burned to a DVD Follow these steps to create a bootable USB stick from the offline media content: 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. + 2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. + 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. + 4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. + 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). + 6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index 0d0b8199c5..df26acb90f 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,5 +1,5 @@ --- -title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10/11) +title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee ms.reviewer: @@ -20,7 +20,6 @@ ms.topic: article **Applies to** - Windows 10 -- Windows 11 This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -30,14 +29,17 @@ MDT is a unified collection of tools, processes, and guidance for automating des In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 11, as well as Windows 7, Windows 8.1, Windows 10, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). + +> [!IMPORTANT] +> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). ## Key features in MDT MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: -- **Windows Client support.** Supports Windows 7, Windows 8.1, Windows 10, and Windows 11. +- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. - **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. @@ -69,11 +71,11 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, Windows 8.1, and Windows 10 systems directly to Windows 11, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 11. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index bd9599c6e4..186a8fe7bd 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,12 +1,12 @@ --- -title: Prepare for deployment with MDT (Windows 11) -description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 11 operating system using the Microsoft Deployment Toolkit (MDT). +title: Prepare for deployment with MDT (Windows 10) +description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 ms.reviewer: manager: dougeby ms.author: greglin keywords: deploy, system requirements -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -19,68 +19,51 @@ ms.topic: article # Prepare for deployment with MDT **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 +This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory. -This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 11 with the Microsoft Deployment Toolkit (MDT). All procedures in this guide can also be used to deploy Windows 10. For an overview of the features, components, and capabilities of MDT, see [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md). - -This article covers installation of necessary system prerequisites, creation of shared folders and service accounts, and configuration of security permissions in the file system and in Active Directory. Steps to complete the following procedures are provided: - -1. Install the Windows Assessment and Deployment Kit (ADK) -2. Install and initialize Windows Deployment Services (WDS) -3. Install MDT -4. Create an Active Directory Organizational Unit structure to support deployment -5. Create the MDT service account -6. Create and share the logs folder - -After completing these steps, you can create a [Windows 11 reference image](create-a-windows-11-reference-image.md) that will be used to deploy Windows 11. If you are installing Windows 10 instead of Windows 11, use [source media](create-a-windows-11-reference-image.md#add-setup-files) for Windows 10 instead of Windows 11 to create your reference image. - -> [!IMPORTANT] -> Before deploying Windows 11, verify that the device meets [requirements](/windows/whats-new/windows-11-requirements). - -## Infrastructure and requirements +## Infrastructure The procedures in this guide use the following names and infrastructure. -#### Network and servers +### Network and servers For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**. - All servers are running Windows Server 2019. - You can use an earlier version of Windows Server with minor modifications to some procedures. - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide. - **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation. - - The DHCP scope used in this lab is 10.10.10.0/24 with a gateway of 10.10.10.1. but you can adjust the scope settings to your environment. - **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server. - - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-deployment.md) for Windows 11 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. -- **HV01** is a Hyper-V host computer that is used to build a Windows 11 reference image. + - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway. +- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image. - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01. -#### Client computers +### Client computers Several client computers are referenced in this guide with hostnames of PC0001 to PC0007. -- **PC0001**: A computer running Windows 11 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. +- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. - Client name: PC0001 - IP Address: DHCP -- **PC0002**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. +- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios. - Client name: PC0002 - IP Address: DHCP -- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 10 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. +- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively. -#### Storage requirements +### Storage requirements MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. -#### Hyper-V requirements +### Hyper-V requirements -If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 8.1, Windows 10, or Windows 11 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. +If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V. -#### Network requirements +### Network requirements All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. -#### Domain credentials +### Domain credentials The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials. @@ -88,7 +71,7 @@ The following generic credentials are used in this guide. You should replace the **Domain administrator username**: administrator
**Domain administrator password**: pass@word1 -#### Organizational unit structure +### Organizational unit structure The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs. @@ -101,8 +84,11 @@ These steps assume that you have the MDT01 member server running and configured On **MDT01**: Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): -- [The Windows ADK](https://go.microsoft.com/fwlink/?linkid=2165884) -- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2166133) +- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) +- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112) +- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334) +- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe) + - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch. >[!TIP] >You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties). @@ -110,9 +96,12 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a 1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain. - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials. 2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step. -3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully. +3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step. +4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file. + - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later. +5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch. -## Install and initialize WDS +## Install and initialize Windows Deployment Services (WDS) On **MDT01**: @@ -141,7 +130,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell >[!NOTE] >MDT installation requires the following: ->- The Windows ADK (installed in the previous procedure) +>- The Windows ADK for Windows 10 (installed in the previous procedure) >- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) >- Microsoft .NET Framework @@ -149,10 +138,8 @@ On **MDT01**: 1. Visit the [MDT resource page](/mem/configmgr/mdt/) and click **Download MDT**. 2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. -3. Save the [MDT update](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) to D:\\Downloads\\MDT folder on MDT01. - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work. -4. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. -5. If you are using MDT version 8456, download, extract, and update MDT per the instructions on [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This will update **Microsoft.BDD.Utility.dll** from version 6.3.8456.1000 to 6.3.8456.1001. +3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings. ## Create the OU structure @@ -231,8 +218,6 @@ If you have the Active Directory Users and Computers console open you can refres ## Create and share the logs folder -Switch back to the MDT01 computer. - By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). On **MDT01**: @@ -265,5 +250,13 @@ After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and ## Next steps -When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 11 reference image](create-a-windows-11-reference-image.md). +When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). +## Appendix + +**Sample files** + +The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. +- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. +- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md similarity index 53% rename from windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md rename to windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 1ec5026bb1..57a26f04a9 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -1,6 +1,6 @@ --- -title: Refresh a Windows 10 computer with Windows 11 (Windows 11) -description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the computer refresh process. +title: Refresh a Windows 7 computer with Windows 10 (Windows 10) +description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f ms.reviewer: manager: dougeby @@ -16,18 +16,17 @@ author: greg-lindsay ms.topic: article --- -# Refresh a Windows 10 computer with Windows 11 +# Refresh a Windows 7 computer with Windows 10 **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 -This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). +This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to Windows 11, with data and settings restored. The example used here is a computer running Windows 10, version 1909. +- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -39,7 +38,7 @@ The computers used in this topic. A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK), to migrate user data and settings. To complete a computer refresh you will: +For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: 1. Back up data and settings locally, in a backup folder. 2. Wipe the partition, except for the backup folder. @@ -49,8 +48,8 @@ For a computer refresh with MDT, you use the User State Migration Tool (USMT), w During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. -> [!NOTE] -> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. +>[!NOTE] +>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. ### Multi-user migration @@ -58,8 +57,8 @@ By default, ScanState in USMT backs up all profiles on the machine, including lo For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\* -> [!NOTE] -> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. +>[!NOTE] +>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. ### Support for additional settings @@ -69,32 +68,29 @@ In addition to the command-line switches that control which profiles to migrate, Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting. -## Refresh a Windows 10 client +## Refresh a Windows 7 SP1 client In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01: - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) -- [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) -- [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md) +- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to Windows 11. For demonstration purposes, we will refreshing a Windows 10 PC to Windows 11. - -> [!IMPORTANT] -> The computer refresh process can be used to install Windows 11 on a device that doesn't meet Windows 11 hardware requirements, resulting in an unsupported configuration. Before upgrading to Windows 11, verify that the device meets [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements). +It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909. -### Upgrade (refresh) a Windows 10 client +### Upgrade (refresh) a Windows 7 SP1 client -> [!IMPORTANT] -> Domain join details [specified in the deployment share rules](deploy-a-windows-11-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 10 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-11-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. +>[!IMPORTANT] +>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. 1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. 2. Complete the deployment guide using the following settings: - * Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image + * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image * Computer name: <default> * Specify where to save a complete computer backup: Do not back up the existing computer - > [!NOTE] - > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. + >[!NOTE] + >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run. * Select one or more applications to install: Install - Adobe Reader  @@ -102,23 +98,23 @@ It is also assumed that you have a domain member client computer named PC0001 in 4. Setup starts and does the following: * Backs up user settings and data using USMT. - * Installs the Windows 11 Enterprise x64 operating system. + * Installs the Windows 10 Enterprise x64 operating system. * Installs any added applications. - * Updates the operating system using your local Windows Server Update Services (WSUS) server (if applicable). + * Updates the operating system using your local Windows Server Update Services (WSUS) server. * Restores user settings and data using USMT. 5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:  -6. After the refresh process completes, sign in to the Windows 11 computer and verify that user accounts, data and settings were migrated. +6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated. ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
-[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
-[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)
-[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md similarity index 85% rename from windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md rename to windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index c8604c4858..baa35a0260 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -1,13 +1,13 @@ --- -title: Replace a Windows 10 computer with a Windows 11 computer (Windows 11) -description: In this article, you will learn how to replace a Windows 10 device with a Windows 11 device. +title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) +description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device. ms.custom: seo-marvel-apr2020 ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a ms.reviewer: manager: dougeby ms.author: greglin keywords: deploy, deployment, replace -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -17,19 +17,18 @@ author: greg-lindsay ms.topic: article --- -# Replace a Windows 10 computer with a Windows 11 computer +# Replace a Windows 7 computer with a Windows 10 computer **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 -A computer replace scenario for Windows 11 is quite similar to a computer refresh for Windows 11. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. +A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. -- PC0002 is an old computer running Windows 10 that will be replaced by PC0007. -- PC0007 is a new computer will have the Windows 11 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. +- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. +- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). @@ -49,7 +48,7 @@ On **MDT01**: 1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab. 2. Change the **SkipUserData=YES** option to **NO**, and click **OK**. -3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings. +3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. ### Create and share the MigData folder @@ -97,8 +96,8 @@ On **PC0002**: * Specify where to save your data and settings: Specify a location * Location: \\\\MDT01\\MigData$\\PC0002 - > [!NOTE] - > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. + >[!NOTE] + >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. 2. Specify where to save a complete computer backup: Do not back up the existing computer @@ -152,16 +151,15 @@ On **HV01**: * Updates the operating system via your local Windows Server Update Services (WSUS) server. * Restores the USMT backup from PC0002. -You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01. +You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.  - ## Related topics [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
-[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
-[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)
-[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 481df59b4a..64938b8f63 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -19,10 +19,6 @@ ms.custom: seo-marvel-mar2020 # Set up MDT for BitLocker -**Applies to** -- Windows 10 -- Windows 11 - This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: - A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md similarity index 76% rename from windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md rename to windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 877add3082..d538a02412 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -1,12 +1,12 @@ --- -title: Simulate a Windows 11 deployment in a test environment (Windows 11) -description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 11 deployment using MDT. +title: Simulate a Windows 10 deployment in a test environment (Windows 10) +description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c ms.reviewer: manager: dougeby ms.author: greglin keywords: deploy, script -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library @@ -16,11 +16,7 @@ author: greg-lindsay ms.topic: article --- -# Simulate a Windows 11 deployment in a test environment - -**Applies to** -- Windows 10 -- Windows 11 +# Simulate a Windows 10 deployment in a test environment This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client. @@ -29,8 +25,8 @@ This topic will walk you through the process of creating a simulated environment - A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts. - It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share: - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - - [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) - - [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md) + - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) ## Simulate deployment @@ -39,23 +35,21 @@ On **PC0001**: 1. Sign as **contoso\\Administrator**. 2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001. -``` -# Check for elevation -If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` - [Security.Principal.WindowsBuiltInRole] "Administrator")) -{ - Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script." - Write-Warning "Aborting script..." - Break -} - -cls -if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse} -cscript.exe ZTIGather.wsf /debug:true - -# Optional, comment out if you want the script to open the log in CMTrace -& "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log -``` + ```powershell + # Check for elevation + If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` + [Security.Principal.WindowsBuiltInRole] "Administrator")) + { + Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script." + Write-Warning "Aborting script..." + Break + } + cls + if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse} + cscript.exe ZTIGather.wsf /debug:true + # Optional, comment out if you want the script to open the log in CMTrace + & "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log + ``` 3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md new file mode 100644 index 0000000000..8760205a12 --- /dev/null +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -0,0 +1,114 @@ +--- +title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) +description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. +ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 +ms.reviewer: +manager: dougeby +ms.author: greglin +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Perform an in-place upgrade to Windows 10 with MDT + +**Applies to** +- Windows 10 + +The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. + +>[!TIP] +>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. + +In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade. + +Three computers are used in this topic: DC01, MDT01, and PC0002. + +- DC01 is a domain controller for the contoso.com domain +- MDT01 is a domain member server +- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade + +  + + The computers used in this topic. + +>[!NOTE] +>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). + +>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source). + +## Create the MDT production deployment share + +On **MDT01**: + +1. Ensure you are signed on as: contoso\administrator. +2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. + +## Add Windows 10 Enterprise x64 (full source) + +>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. + +On **MDT01**: + +1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. +2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. +3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**. +4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: + - Full set of source files + - Source directory: (location of your source files) + - Destination directory name: W10EX64RTM +5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. + +## Create a task sequence to upgrade to Windows 10 Enterprise + +On **MDT01**: + +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + - Task sequence ID: W10-X64-UPG + - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade + - Template: Standard Client Upgrade Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Default Image + - Specify Product Key: Do not specify a product key at this time + - Organization: Contoso + - Admin Password: Do not specify an Administrator password at this time + +## Perform the Windows 10 upgrade + +To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). + +On **PC0002**: + +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. +3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. + + + +
+ + + +
+ + + +After the task sequence completes, the computer will be fully upgraded to Windows 10. + +## Related topics + +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md deleted file mode 100644 index ccbb15d9c5..0000000000 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md +++ /dev/null @@ -1,134 +0,0 @@ ---- -title: Perform an in-place upgrade to Windows 11 with MDT (Windows 11) -description: The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 -ms.reviewer: -manager: dougeby -ms.author: greglin -keywords: upgrade, update, task sequence, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro -author: greg-lindsay -ms.topic: article ---- - -# Perform an in-place upgrade to Windows 11 with MDT - -**Applies to** -- Windows 10 -- Windows 11 - -The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade. - -> [!TIP] -> In-place upgrade is the preferred method to use when migrating to a newer version of the same OS, or upgrading to a new OS. This is especially true when you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. - -In-place upgrade differs from [computer refresh](refresh-a-windows-10-computer-with-windows-11.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 11 image to the production deployment share specifically to perform an in-place upgrade. - -> [!IMPORTANT] -> Windows 11 setup will block the upgrade process on devices that do not meet [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements). Be sure to verify that your device meets these requirements before attempting to upgrade to Windows 11. - -Three computers are used in this topic: DC01, MDT01, and PC0002. - -- DC01 is a domain controller for the contoso.com domain -- MDT01 is a domain member server -- PC0002 is a domain member computer running Windows 10, targeted for the Windows 11 upgrade - -  - - The computers used in this topic. - -> [!NOTE] -> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). - -> If you have already completed all the steps in [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 11 Enterprise x64 (full source)](#add-windows-11-enterprise-x64-full-source). - -## Create the MDT production deployment share - -On **MDT01**: - -1. Ensure you are signed on as: contoso\administrator. -2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. - -## Add Windows 11 Enterprise x64 (full source) - -> If you have already have a Windows 11 [reference image](create-a-windows-11-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section. - -  - - Copying the reference image to the production deployment share - - If you copy the reference image using the above process, you should verify that all the files on MDT01 in **D:\\MDTBuildLab\\Operating Systems\\W11EX64** were successfully copied to **D:\\MDTProduction\\Operating Systems\\W11EX64** and then skip to [Create a task sequence to upgrade to Windows 11 Enterprise](#create-a-task-sequence-to-upgrade-to-windows11-enterprise). - -On **MDT01**: - -1. Sign in as contoso\\administrator and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. -2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**. -3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**. -4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard: - - Full set of source files - - Source directory: (location of your source files) - - Destination directory name: W11EX64 -5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**. - -## Create a task sequence to upgrade to Windows 11 Enterprise - -On **MDT01**: - -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 11**. -2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - - Task sequence ID: W11-X64-UPG - - Task sequence name: Windows 11 Enterprise x64 Upgrade - - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 11 Enterprise x64 Default Image - - Specify Product Key: Do not specify a product key at this time - - Organization: Contoso - - Admin Password: Do not specify an Administrator password at this time - -### Specify additional command line options - -Before running the upgrade task sequence, an additional step is required if you are upgrading to Windows 11. This step is not necessary if you are upgrading to Windows 10. - -The **/EULA accept** command line option is required starting with Windows 11. For more information, see [Windows Setup command-line options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#eula). To add this command line option: - -1. In the Windows 11 Enterprise x64 Upgrade task sequence that you just created, in the Preparation section, click **Add** > **General** > **Set Task Sequence Variable** and provide the following values: - - Name: WindowsUpgradeAdditionalOptions - - Task Sequence Variable: WindowsUpgradeAdditionalOptions - - Value: /EULA accept -2. Make the Set Task Sequence Variable step the first step in the Preparation phase by moving it up above the other steps. See the following example: - - - -Using the WindowsUpgradeAdditionalOptions variable to set command line options. - -## Perform the Windows 11 upgrade - -To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded). - -On **PC0002**: - -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 11 Enterprise x64 Upgrade** task sequence, and then click **Next**. -3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader -4. On the **Ready** tab, click **Begin** to start the task sequence. - When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. - - - -
- -After the task sequence completes, the computer will be fully upgraded to Windows 11. - -## Related topics - -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/) \ No newline at end of file diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index 1a2a665f6a..600f2dec3e 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -1,5 +1,5 @@ --- -title: Use Orchestrator runbooks with MDT (Windows 11) +title: Use Orchestrator runbooks with MDT (Windows 10) description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f ms.reviewer: @@ -18,10 +18,6 @@ ms.topic: article # Use Orchestrator runbooks with MDT -**Applies to** -- Windows 10 -- Windows 11 - This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md similarity index 96% rename from windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md rename to windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 85da7682da..235c3ecedb 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -1,6 +1,6 @@ --- -title: Use MDT database to stage Windows 11 deployment info (Windows 11) -description: Learn how to use the MDT database to pre-stage information on your Windows 11 deployment in a Microsoft SQL Server 2012 SP1 Express database. +title: Use MDT database to stage Windows 10 deployment info (Windows 10) +description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database. ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.reviewer: manager: dougeby @@ -18,10 +18,6 @@ ms.topic: article # Use the MDT database to stage Windows 10 deployment information -**Applies to** -- Windows 10 -- Windows 11 - This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines. ## Database prerequisites diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index f9c72cfd2c..21536126c8 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -1,12 +1,12 @@ --- -title: Use web services in MDT (Windows 11) -description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 11 deployment. +title: Use web services in MDT (Windows 10) +description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 ms.reviewer: manager: dougeby ms.author: greglin keywords: deploy, web apps -ms.prod: w11 +ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.pagetype: mdt @@ -18,10 +18,6 @@ ms.topic: article # Use web services in MDT -**Applies to** -- Windows 10 -- Windows 11 - In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png index 13bc5c84e1..142e7b6d74 100644 Binary files a/windows/deployment/images/acroread.png and b/windows/deployment/images/acroread.png differ diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png index 9cccb88a1f..e9ebbf3aad 100644 Binary files a/windows/deployment/images/captureimage.png and b/windows/deployment/images/captureimage.png differ diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png index 34a03a5e1d..c68ee25db1 100644 Binary files a/windows/deployment/images/deployment-workbench01.png and b/windows/deployment/images/deployment-workbench01.png differ diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png index 8aa48d1b25..90cf910c24 100644 Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png index d3deca7024..bdd81ddbde 100644 Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png index 11eb769926..14d93fb278 100644 Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ diff --git a/windows/deployment/images/fig5-selectprofile.png b/windows/deployment/images/fig5-selectprofile.png index 61c795dcee..452ab4f581 100644 Binary files a/windows/deployment/images/fig5-selectprofile.png and b/windows/deployment/images/fig5-selectprofile.png differ diff --git a/windows/deployment/images/fig6-taskseq.png b/windows/deployment/images/fig6-taskseq.png index d77e99d70d..8696cc04c4 100644 Binary files a/windows/deployment/images/fig6-taskseq.png and b/windows/deployment/images/fig6-taskseq.png differ diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png index 5a0c7c2ac7..3ab40d730a 100644 Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png index 281e8ea0ff..69c5d5ef15 100644 Binary files a/windows/deployment/images/image-captured.png and b/windows/deployment/images/image-captured.png differ diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png index 27075a9502..f188046b7f 100644 Binary files a/windows/deployment/images/iso-data.png and b/windows/deployment/images/iso-data.png differ diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png index 7e128451d6..a387923d80 100644 Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png index 9ac1267b22..437531d2f6 100644 Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png index 23037de07d..2c61e0eb3d 100644 Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png index 94ce5cd310..8625f2972b 100644 Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png index 77b8960921..bb5010a93d 100644 Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png index 73587506af..72ee2268f2 100644 Binary files a/windows/deployment/images/mdt-apps.png and b/windows/deployment/images/mdt-apps.png differ diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png index d31ad0f27d..d81ea4e0d8 100644 Binary files a/windows/deployment/images/mdt-offline-media.png and b/windows/deployment/images/mdt-offline-media.png differ diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png index 950ec3d6f7..d731037d38 100644 Binary files a/windows/deployment/images/mdt-replace.png and b/windows/deployment/images/mdt-replace.png differ diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG index 10708e3f71..072b9cb58c 100644 Binary files a/windows/deployment/images/monitor-pc0001.PNG and b/windows/deployment/images/monitor-pc0001.PNG differ diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png index d572ae77e9..bb8e96f5af 100644 Binary files a/windows/deployment/images/pc0005-vm-office.png and b/windows/deployment/images/pc0005-vm-office.png differ diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png index 9d4c46dfac..4b2af635c4 100644 Binary files a/windows/deployment/images/pc0005-vm.png and b/windows/deployment/images/pc0005-vm.png differ diff --git a/windows/deployment/images/upgrademdt-fig5-winupgrade.png b/windows/deployment/images/upgrademdt-fig5-winupgrade.png index f346380b98..f3bc05508a 100644 Binary files a/windows/deployment/images/upgrademdt-fig5-winupgrade.png and b/windows/deployment/images/upgrademdt-fig5-winupgrade.png differ diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 90d0c547cb..4d8bf0ff3e 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -36,46 +36,13 @@ Windows 10 also introduces two additional scenarios that organizations should c So how do you choose? At a high level: --
+| Consider ... | For these scenarios | +|---|---| +| In-place upgrade | - When you want to keep all (or at least most) existing applications- - -- - - - - -Consider ... -For these scenarios -- -In-place upgrade --
-
When you want to keep all (or at least most) existing applications
-When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
-To migrate from Windows 10 to a later Windows 10 release
-
- -Traditional wipe-and-load --
-
When you upgrade significant numbers of applications along with the new Windows OS
-When you make significant device or operating system configuration changes
-When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
-When you migrate from Windows Vista or other previous operating system versions
-
- - -Dynamic provisioning --
-
For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required
-When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps
-
- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
- To migrate from Windows 10 to a later Windows 10 release | +| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
- When you make significant device or operating system configuration changes
- When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
- When you migrate from Windows Vista or other previous operating system versions | +| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required.
- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps | + - ## Migration from previous Windows versions For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall. @@ -105,7 +72,7 @@ In either of these scenarios, you can make a variety of configuration changes to ## Stay up to date -For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will be deployed two times per year. You can deploy these upgrades by using a variety of methods: +For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods: - Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet. - Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update). diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 8ca699331f..a8e1aa8c67 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -103,7 +103,7 @@ sections: - question: | What are the servicing channels? answer: | - To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). + To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels). - question: | What tools can I use to manage Windows as a service updates? diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 5853c92bdc..b73c7cb293 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,7 +1,7 @@ --- title: Introduction to the Windows Insider Program for Business description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight ms.custom: seo-marvel-apr2020 ms.prod: w10 ms.mktglfcycl: manage @@ -22,7 +22,7 @@ ms.topic: article > **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the General Availability Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. The Windows Insider Program for Business gives you the opportunity to: @@ -35,7 +35,7 @@ The Windows Insider Program for Business gives you the opportunity to: Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. +The Windows Insider Program doesn't replace General Availability Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. [](images/WIP4Biz_deployment.png)
Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. @@ -52,12 +52,12 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op ## Validate Insider Preview builds Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - -- Get a head start on your Windows validation process -- Identify issues sooner to accelerate your Windows deployment -- Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support window that comes with each Semi-Annual release. + +- Get a head start on your Windows validation process. +- Identify issues sooner to accelerate your Windows deployment. +- Engage Microsoft earlier for help with potential compatibility issues. +- Deploy Windows 10 General Availability Channel releases faster and more confidently. +- Maximize the support window that comes with each General Availability Channel release. |Objective |Feature exploration| |---------|---------| diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md index f1d6c2488e..a9cda4ed31 100644 --- a/windows/deployment/update/get-started-updates-channels-tools.md +++ b/windows/deployment/update/get-started-updates-channels-tools.md @@ -1,7 +1,7 @@ --- title: Windows client updates, channels, and tools description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -35,7 +35,7 @@ version of the software. We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*. -- **Feature updates:** Released as soon as they become available. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. +- **Feature updates:** Released annually. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - **Quality updates:** Quality updates deliver both security and non-security fixes. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously. - **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md). - **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not. @@ -51,7 +51,7 @@ The first step of controlling when and how devices install updates is assigning ### General Availability Channel -In the General Availability Channel, feature updates are available as soon as Microsoft releases them. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. +In the General Availability Channel, feature updates are released annually. As long as a device isn't set to defer feature updates, any device in this channel will install a feature update as soon as it's released. If you use Windows Update for Business, the channel provides three months of additional total deployment time before being required to update to the next release. ### Windows Insider Program for Business diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 8bfab4700e..bb91408f6f 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -60,7 +60,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**. -  +  >[!NOTE] >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. @@ -73,13 +73,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. -  +  8. In the **Configure Automatic Updates** dialog box, select **Enable**. 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. -  +  >[!IMPORTANT] > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations @@ -91,12 +91,12 @@ When using WSUS to manage updates on Windows client devices, start by configurin 11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. -12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**. +12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type `http://Your_WSUS_Server_FQDN:PortNumber`, and then select **OK**. >[!NOTE] >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. -  +  >[!NOTE] >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.) @@ -116,7 +116,7 @@ You can use computer groups to target a subset of devices that have specific qua 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. -  +  3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**. @@ -144,7 +144,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput 2. Select both computers, right-click the selection, and then click **Change Membership**. -  +  3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**. @@ -162,7 +162,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**. -  +  4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**. @@ -179,7 +179,7 @@ The WSUS Administration Console provides a friendly interface from which you can 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**. -  +  2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**. @@ -203,7 +203,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**. -  +  6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. @@ -213,7 +213,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added. -  +  > [!WARNING] > The target group name must match the computer group name. @@ -230,7 +230,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group. -  +  The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. @@ -239,7 +239,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS. >[!NOTE] ->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. +>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for the [General Availability Channel](waas-overview.md#general-availability-channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS. **To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring** @@ -251,7 +251,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes. -  +  4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**. @@ -265,7 +265,7 @@ This example uses Windows 10, but the process is the same for Windows 11. 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**. -  +  9. In the **Automatic Approvals** dialog box, click **OK**. @@ -300,7 +300,7 @@ To simplify the manual approval process, start by creating a software update vie 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**. -  +  Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring: @@ -308,21 +308,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s 2. Right-click the feature update you want to deploy, and then click **Approve**. -  +  3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**. -  +  4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. -  +  5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**. If the deployment is successful, you should receive a successful progress report. -  +  6. In the **Approval Progress** dialog box, click **Close**. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 5947bdc897..543f0e96db 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -1,7 +1,7 @@ --- title: Overview of Windows as a service description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo @@ -90,9 +90,9 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid ### General Availability Channel -In the General Availability Channel, feature updates are available as soon as Microsoft releases them. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features immediately. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. +In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment. -When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools). +When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools). > [!NOTE] @@ -120,7 +120,7 @@ The Long-term Servicing Channel is available only in the Windows 10 Enterprise L ### Windows Insider -For many IT pros, gaining visibility into feature updates early--before they’re available to the Semi-Annual Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. +For many IT pros, gaining visibility into feature updates early--before they’re available to the General Availability Channel — can be both intriguing and valuable for future end user communications as well as provide the means to test for any issues on the next General Availability release. Windows Insiders can consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started). @@ -130,7 +130,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled There are many tools you can use to service Windows as a service. Each option has its pros and cons, ranging from capabilities and control to simplicity and low administrative requirements. The following are examples of the servicing tools available to manage Windows as a service updates: -- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the Semi-Annual Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device. +- **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device. - **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune. - **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index f9c793095d..59bb0e9b9a 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -1,14 +1,14 @@ --- title: Quick guide to Windows as a service (Windows 10) description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy. -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +keywords: updates, servicing, current, deployment, General Availability Channel, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: high ms.author: jaimeo ms.reviewer: -manager: laurawi +manager: dougeby ms.topic: article --- @@ -25,12 +25,13 @@ Here is a quick guide to the most important concepts in Windows as a service. Fo ## Definitions Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean. -- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. + +- **Feature updates** are released annually. As the name suggests, these updates add new features, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years. - **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md). - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - - The **General Availability Channel** receives feature updates as they become available. - - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. + - The **General Availability Channel** receives feature updates annually. + - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. @@ -51,6 +52,6 @@ To stay up to date, deploy feature updates at an appropriate time after their re Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin. -This process repeats with each new feature update as they become available. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. +This process repeats with each new feature update. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles. Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index cbf9133ff3..65880f7388 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -43,7 +43,7 @@ The General Availability Channel is the default servicing channel for all Window >The LTSC edition is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). >[!NOTE] ->Devices will automatically receive updates from the Semi-Annual Channel, unless they are configured to receive preview updates through the Windows Insider Program. +>Devices will automatically receive updates from the General Availability Channel, unless they are configured to receive preview updates through the Windows Insider Program. ## Enroll devices in the Windows Insider Program diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index c50df27515..600631905f 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -15,6 +15,7 @@ ms.topic: article --- # Windows 10 upgrade paths + **Applies to** - Windows 10 @@ -25,194 +26,73 @@ This topic provides a summary of available upgrade paths to Windows 10. You can If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded. -> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. -> -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**. -> -> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. -> -> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). +- **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. + +- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options. + + You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`. + +- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. + +- **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). + +## Windows 10 + +✔ = Full upgrade is supported including personal data, settings, and applications. -✔ = Full upgrade is supported including personal data, settings, and applications.
D = Edition downgrade; personal data is maintained, applications and settings are removed. -
--
+--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **Home** | | ✔ | ✔ | ✔ | | +| **Pro** | D | | ✔ | ✔ | ✔ | +| **Education** | | | | | D | +| **Enterprise** | | | | ✔ | | +--- + +## Windows 8.1 + +✔ = Full upgrade is supported including personal data, settings, and applications. + +D = Edition downgrade; personal data is maintained, applications and settings are removed. + +--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **(Core)** | ✔ | ✔ | ✔ | ✔ | | +| **Connected** | ✔ | ✔ | ✔ | ✔ | | +| **Pro** | D | ✔ | ✔ | ✔ | ✔ | +| **Pro Student** | D | ✔ | ✔ | ✔ | ✔ | +| **Pro WMC** | D | ✔ | ✔ | ✔ | ✔ | +| **Enterprise** | | | | ✔ | ✔ | +| **Embedded Industry** | | | | | ✔ | + +--- + +## Windows 7 + +✔ = Full upgrade is supported including personal data, settings, and applications. + +D = Edition downgrade; personal data is maintained, applications and settings are removed. + +--- +| | Windows 10 Home | Windows 10 Pro | Windows 10 Pro Education | Windows 10 Education | Windows 10 Enterprise | +|---|---|---|---|---|---| +| **Starter** | ✔ | ✔ | ✔ | ✔ | | +| **Home Basic** | ✔ | ✔ | ✔ | ✔ | | +| **Home Premium** | ✔ | ✔ | ✔ | ✔ | | +| **Professional** | D | ✔ | ✔ | ✔ | ✔ | +| **Ultimate** | D | ✔ | ✔ | ✔ | ✔ | +| **Enterprise** | | | | ✔ | ✔ | + +--- ## Related Topics -[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)- -Windows 10 Home -Windows 10 Pro -Windows 10 Pro Education -Windows 10 Education -Windows 10 Enterprise -- -Windows 7 -- -Starter -✔ -✔ -✔ -✔ -- - -Home Basic -✔ -✔ -✔ -✔ -- - -Home Premium -✔ -✔ -✔ -✔ -- - -Professional -D -✔ -✔ -✔ -✔ -- -Ultimate -D -✔ -✔ -✔ -✔ -- -Enterprise -- - - ✔ -✔ -- -Windows 8.1 -- -(Core) -✔ -✔ -✔ -✔ -- - -Connected -✔ -✔ -✔ -✔ -- - -Pro -D -✔ -✔ -✔ -✔ -- -Pro Student -D -✔ -✔ -✔ -✔ -- -Pro WMC -D -✔ -✔ -✔ -✔ -- -Enterprise -- - - ✔ -✔ -- -Embedded Industry -- - - - ✔ -- -Windows RT -- - - - - - -Windows Phone 8.1 -- - - - - - -Windows 10 -- -Home -- ✔ -✔ -✔ -- - -Pro -D -- ✔ -✔ -✔ -- -Education -- - - - D -- -Enterprise -- - - ✔ --
-[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md) \ No newline at end of file +[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) + +[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md) + +[Windows 10 edition upgrade](windows-10-edition-upgrades.md) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 0e160f2943..3595e295f0 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -34,43 +34,12 @@ When you select a product, for example “Windows 10 Enterprise” or “Windows > [!NOTE] > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). -In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. - -### Windows 10, version 1709 - -Windows 10, version 1709 is available starting on 10/17/2017 in all relevant distribution channels. Note: An updated [Windows ADK for Windows 10](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) is also available. - -For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images: - - - -When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update. - -For packages published to Windows Server Update Services (WSUS), you’ll also notice the change because, instead of having separate packages for each Windows edition, there will be just one package: - -
- -| Title | Classification | Description | -| --- | --- | --- | -| Feature update to Windows 10, version 1709, \
- -When you approve one of these packages, it applies to all of the editions. - -This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](./update/index.md). - +Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. ### Language packs -- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads. - **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. -See the following example for Windows 10, version 1709: - - - ### Features on demand [Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 4d6d62258a..46c4eef1ae 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -23,7 +23,7 @@ Applies to: - Windows 10 - Windows 11 -Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. +Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5. With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. @@ -44,9 +44,10 @@ For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 ## Subscription Activation for Windows 10/11 Enterprise -With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. +Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. If you are running Windows 10, version 1703 or later: + - Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. - Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. @@ -109,8 +110,6 @@ An issue has been identified with Hybrid Azure AD joined devices that have enabl To resolve this issue: -If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. - If the device is running Windows 10, version 1809 or later: - Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. @@ -166,7 +165,7 @@ The IT administrator assigns Windows 10 Enterprise to a user. See the following When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. -Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. +Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. The following figures summarize how the Subscription Activation model works: @@ -190,19 +189,7 @@ You are using Windows 10, version 1803 or above, and just purchased Windows 10 E All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. -#### Scenario #2 - -You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: - -```console -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 -``` - -The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. - -#### Scenario #3 +#### Scenario #2 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. @@ -231,7 +218,7 @@ If you are running Windows 10, version 1803 or later, Subscription Activation wi If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: +If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt: ```console @echo off @@ -249,6 +236,12 @@ changepk.exe /ProductKey %ProductKey% ) ``` +Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead: + +```powershell +$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } } +``` + ### Obtaining an Azure AD license Enterprise Agreement/Software Assurance (EA/SA): diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b47dd4d0f2..ac69de04a3 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -47,7 +47,7 @@ These are the things you'll need to complete this lab: | | Description | |:---|:---| -|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.| +|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.| |**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.| |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| |**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml new file mode 100644 index 0000000000..892ce64421 --- /dev/null +++ b/windows/manage/TOC.yml @@ -0,0 +1,2 @@ +- name: Test + href: test.md diff --git a/windows/manage/test.md b/windows/manage/test.md new file mode 100644 index 0000000000..36d16a3f6b --- /dev/null +++ b/windows/manage/test.md @@ -0,0 +1,19 @@ +--- +title: Test +description: Test +ms.prod: w11 +ms.mktglfcycl: deploy +ms.sitesec: library +author: dstrome +ms.author: dstrome +ms.reviewer: +manager: dstrome +ms.topic: article +--- + +# Test + +## Deployment planning + +This article provides guidance to help you plan for Windows 11 in your organization. + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 16e94c4bd9..a2c09c70c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index fe2e57d529..2c105c0127 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -3029,22 +3029,6 @@ The following fields are available: - **winInetError** The HResult of the operation. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - ## Privacy logging notification events ### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 27ad38b904..89feae1164 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -34,7 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -44,7 +44,6 @@ You can learn more about Windows functional and diagnostic data through these ar - ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -4370,14 +4369,6 @@ The following fields are available: ## Other events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. ## Privacy consent logging events @@ -5473,6 +5464,17 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + ## Update Assistant events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e45351e107..e170e13dbe 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: ms.reviewer: --- @@ -24,7 +24,6 @@ ms.reviewer: - Windows 10, version 1809 - The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -34,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -5790,36 +5789,6 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. - -## Other events - -### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties - -This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. - -The following fields are available: - -- **nodeId** The nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. -- **nodeOperatingSystem** A user friendly description of the node's OS version. -- **nodeOSVersion** A major or minor build version string for the node's OS. -- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. -- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. - -The following fields are available: - -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -7029,6 +6998,22 @@ The following fields are available: - **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## System Resource Usage Monitor events diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index d9cf6ceee1..7cd176eb53 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/08/2021 +ms.date: --- @@ -39,7 +39,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: - [Required Windows 11 diagnostic events and fields](required-windows-11-diagnostic-events-and-fields.md) -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -277,6 +277,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -290,6 +292,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -306,6 +310,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -322,6 +328,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -335,6 +343,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -348,6 +358,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -362,6 +374,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -378,6 +392,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -391,6 +407,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -407,6 +425,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -423,6 +443,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -436,6 +458,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -449,6 +473,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -462,6 +488,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -469,17 +497,19 @@ The following fields are available: - **DecisionMediaCenter_RS5** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH1** The total number of objects of this type present on this device. - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. -- **DecisionSModeState_19H1** The total number of objects of this type present on this device. +- **DecisionSModeState_19H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS1** The total number of objects of this type present on this device. -- **DecisionSModeState_RS2** The total number of objects of this type present on this device. -- **DecisionSModeState_RS3** The total number of objects of this type present on this device. -- **DecisionSModeState_RS4** The total number of objects of this type present on this device. -- **DecisionSModeState_RS5** The total number of objects of this type present on this device. -- **DecisionSModeState_TH1** The total number of objects of this type present on this device. -- **DecisionSModeState_TH2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_RS1** The total number of objects of this type present on this device. +- **DecisionSModeState_RS2** The total number of objects of this type present on this device. +- **DecisionSModeState_RS3** The total number of objects of this type present on this device. +- **DecisionSModeState_RS4** The total number of objects of this type present on this device. +- **DecisionSModeState_RS5** The total number of objects of this type present on this device. +- **DecisionSModeState_TH1** The total number of objects of this type present on this device. +- **DecisionSModeState_TH2** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -487,6 +517,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -497,67 +529,79 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_TH1** The total number of objects of this type present on this device. - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_19H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS4** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_RS5** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH1** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_19H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. -- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS4** The total number of objects of this type present on this device. +- **DecisionSystemMemory_RS5** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH1** The total number of objects of this type present on this device. +- **DecisionSystemMemory_TH2** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_19H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS4** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_RS5** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH1** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_TH2** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -565,28 +609,32 @@ The following fields are available: - **DecisionTest_RS5** The total number of objects of this type present on this device. - **DecisionTest_TH1** The total number of objects of this type present on this device. - **DecisionTest_TH2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_19H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. -- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS4** The total number of objects of this type present on this device. +- **DecisionTpmVersion_RS5** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH1** The total number of objects of this type present on this device. +- **DecisionTpmVersion_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_19H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS4** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_RS5** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH1** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_TH2** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -616,6 +664,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -4237,6 +4287,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4614,13 +4665,13 @@ The following fields are available: - **Generic** A count of generic objects in cache. - **HwItem** A count of hwitem objects in cache. - **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT health records in cache. -- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT version elements in cache. - **InventoryApplication** A count of application objects in cache. - **InventoryApplicationAppV** A count of application AppV objects in cache. -- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationDriver** A count of application driver objects in cache. - **InventoryApplicationFile** A count of application file objects in cache. -- **InventoryApplicationFramework** A count of application framework objects in cache -- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache. +- **InventoryApplicationShortcut** A count of application shortcut objects in cache. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. - **InventoryDeviceMediaClass** A count of device media objects in cache. @@ -4631,14 +4682,14 @@ The following fields are available: - **InventoryDriverPackage** A count of device objects in cache. - **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache - **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. -- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache -- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache -- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache -- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache -- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache -- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache -- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache -- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache. +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache. +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache. +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache. +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache. +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache. +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache. +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache. - **InventoryVersion** The version of the inventory binary generating the events. - **Metadata** A count of metadata objects in cache. - **Orphan** A count of orphan file objects in cache. @@ -5896,27 +5947,6 @@ The following fields are available: - **ModelName** Windows Mixed Reality device model name. - **SerialNumber** Windows Mixed Reality device serial number. - -## OneDrive events - -### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation - -This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. - -The following fields are available: - -- **CurrentOneDriveVersion** The current version of OneDrive. -- **CurrentOSBuildBranch** The current branch of the operating system. -- **CurrentOSBuildNumber** The current build number of the operating system. -- **CurrentOSVersion** The current version of the operating system. -- **HResult** The HResult of the operation. -- **SourceOSBuildBranch** The source branch of the operating system. -- **SourceOSBuildNumber** The source build number of the operating system. -- **SourceOSVersion** The source version of the operating system. - - -## Other events - ### Microsoft.ML.ONNXRuntime.ProcessInfo This event collects information when an application loads ONNXRuntime.dll. The data collected with this event is used to keep Windows product and service performing properly. @@ -5941,21 +5971,52 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## OneDrive events -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. The following fields are available: -- **batteryData** Hardware level data about battery performance. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Update Assistant events ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked @@ -6336,37 +6397,6 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. - -## Privacy consent logging events - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted - -This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **presentationVersion** Which display version of the privacy consent experience the user completed -- **privacyConsentState** The current state of the privacy consent experience -- **settingsVersion** Which setting version of the privacy consent experience the user completed -- **userOobeExitReason** The exit reason of the privacy consent experience - - -### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus - -This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **isAdmin** whether the person who is logging in is an admin -- **isExistingUser** whether the account existed in a downlevel OS -- **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience -- **userRegionCode** The current user's region setting - - -## Quality Update Assistant events - ### Microsoft.Windows.QualityUpdateAssistant.Applicability This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure. @@ -7037,6 +7067,19 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. ## System reset events diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 99c3bb9e74..c4cac4808b 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -261,11 +261,15 @@ The Windows diagnostic data processor configuration enables you to be the contro ### Prerequisites -- The device must be any of the following releases of Windows: - - Windows 11 Enterprise, Professional, or Education edition - - Windows 10 Enterprise, Education, or Professional edition, version 1809 with July 2021 update or later. +- Use a supported version of Windows 10 or Windows 11 +- The following editions are supported: + - Enterprise + - Professional + - Education - The device must be joined to Azure Active Directory. +For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education) + The diagnostic data setting on the device should be set to Required diagnostic data or higher, and the following endpoints need to be reachable: - v10c.events.data.microsoft.com diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md new file mode 100644 index 0000000000..c6578dcc77 --- /dev/null +++ b/windows/privacy/manage-windows-21h2-endpoints.md @@ -0,0 +1,157 @@ +--- +title: Connection endpoints for Windows 10 Enterprise, version 21H2 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2. +keywords: privacy, manage connections to Microsoft, Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: gental-giant +ms.author: v-hakima +manager: robsize +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/04/2021 +--- + +# Manage connection endpoints for Windows 10 Enterprise, version 21H2 + +**Applies to** + +- Windows 10 Enterprise, version 21H2 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic. + +The following methodology was used to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here. +7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different. +8. These tests were conducted for one week, but if you capture traffic for longer you may have different results. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 21H2 Enterprise connection endpoints + +|Area|Description|Protocol|Destination| +|----------------|----------|----------|------------| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com| +||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net| +||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com| +|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*| +|||TLSv1.2/HTTPS/HTTP|fp.msedge.net| +|||TLSv1.2|I-ring.msedge.net| +|||HTTPS|s-ring.msedge.net| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| +|||HTTP|dmd.metaservices.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com| +||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com| +|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com| +|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)| +|||HTTPS|fs.microsoft.com| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com| +|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)| +||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| +||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com| +|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net| +||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com| +||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com| +||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com| +|||HTTPS|pti.store.microsoft.com| +|||HTTP|share.microsoft.com| +||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| +||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|www.office.com| +|||HTTPS|blobs.officehome.msocdn.com| +|||HTTPS|officehomeblobs.blob.core.windows.net| +|||HTTPS|self.events.data.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||TLSv1.2/HTTPS/HTTP|g.live.com| +|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms| +|||HTTPS| logincdn.msauth.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com| +|||HTTPS|settings.data.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS/HTTP|*.pipe.aria.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com| +|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS/TLSv1.2|wdcp.microsoft.com| +||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com| +|||HTTPS/HTTP|checkappexec.microsoft.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLSv1.2/HTTPS/HTTP|arc.msn.com| +|||HTTPS|ris.api.iris.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com| +|||HTTP|emdl.ws.microsoft.com| +||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com| +|||HTTP|*.windowsupdate.com| +||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com| +|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com| +||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com| +|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +|||HTTPS|dlassets-ssl.xboxlive.com| + + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 Enterprise, see: + +- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: + +- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md) +- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md) +- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md) +- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints) \ No newline at end of file diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 246577e395..728704a57e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -36,7 +36,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 535d41535f..5c6f22d52c 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -1,6 +1,6 @@ --- description: Use this article to learn more about what required Windows diagnostic data is gathered. -title: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) +title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) keywords: privacy, telemetry ms.prod: w10 ms.mktglfcycl: manage @@ -13,11 +13,11 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 10/04/2021 +ms.date: --- -# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields +# Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields > [!IMPORTANT] @@ -26,10 +26,12 @@ ms.date: 10/04/2021 **Applies to** +- Windows 10, version 21H2 - Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 + Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -63,6 +65,8 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. +- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -76,6 +80,8 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -91,6 +97,8 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -106,6 +114,8 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -119,6 +129,8 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -132,6 +144,8 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -145,6 +159,8 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. +- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -160,6 +176,8 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. +- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -173,6 +191,8 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. +- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -188,6 +208,8 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. +- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -203,6 +225,8 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -216,6 +240,8 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -229,6 +255,8 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -242,6 +270,8 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. +- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -254,6 +284,8 @@ The following fields are available: - **DecisionSModeState_20H1Setup** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2** The total number of objects of this type present on this device. +- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. - **DecisionSModeState_RS1** The total number of objects of this type present on this device. - **DecisionSModeState_RS2** The total number of objects of this type present on this device. - **DecisionSModeState_RS3** The total number of objects of this type present on this device. @@ -267,6 +299,8 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. +- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -281,6 +315,8 @@ The following fields are available: - **DecisionSystemDiskSize_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_RS3** The total number of objects of this type present on this device. @@ -293,6 +329,8 @@ The following fields are available: - **DecisionSystemMemory_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. +- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS1** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS2** The total number of objects of this type present on this device. - **DecisionSystemMemory_RS3** The total number of objects of this type present on this device. @@ -305,6 +343,8 @@ The following fields are available: - **DecisionSystemProcessorCpuCores_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_RS3** The total number of objects of this type present on this device. @@ -317,6 +357,7 @@ The following fields are available: - **DecisionSystemProcessorCpuModel_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_RS3** The total number of objects of this type present on this device. @@ -329,6 +370,8 @@ The following fields are available: - **DecisionSystemProcessorCpuSpeed_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_RS3** The total number of objects of this type present on this device. @@ -341,6 +384,8 @@ The following fields are available: - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTest_21H2** The total number of objects of this type present on this device. +- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -353,6 +398,8 @@ The following fields are available: - **DecisionTpmVersion_20H1Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. +- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS1** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS2** The total number of objects of this type present on this device. - **DecisionTpmVersion_RS3** The total number of objects of this type present on this device. @@ -365,6 +412,8 @@ The following fields are available: - **DecisionUefiSecureBoot_20H1Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS2** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_RS3** The total number of objects of this type present on this device. @@ -395,6 +444,8 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. +- **Wmdrm_21H2** The total number of objects of this type present on this device. +- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. @@ -2446,6 +2497,7 @@ The following fields are available: - **objectType** Indicates the object type that the event applies to. - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + ## Component-based servicing events ### CbsServicingProvider.CbsCapabilityEnumeration @@ -2978,6 +3030,7 @@ The following fields are available: - **DriverInfSectionName** Name of the DDInstall section within the driver INF file. - **DriverPackageId** The ID of the driver package that is staged to the driver store. - **DriverProvider** The driver manufacturer or provider. +- **DriverShimIds** List of driver shim IDs. - **DriverUpdated** Indicates whether the driver is replacing an old driver. - **DriverVersion** The version of the driver file. - **EndTime** The time the installation completed. @@ -4375,7 +4428,7 @@ The following fields are available: - **device_sample_rate** A number representing how often the device sends telemetry, expressed as a percentage. Low values indicate that device sends more events and high values indicate that device sends fewer events. The value is rounded to 5 significant figures for privacy reasons and if an error is hit in getting the device sample number value from the registry then this will be -1; and if client is not on a UTC-enabled platform, then this value will not be set. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. -- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol) for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **installSourceName** A string representation of the installation source. @@ -4618,195 +4671,16 @@ The following fields are available: - **totalRunDuration** Total running/evaluation time from last time. - **totalRuns** Total number of running/evaluation from last time. +## Settings events -## Other events +### Microsoft.Windows.Shell.SystemSettings.SettingsAppActivity.ProtocolActivation -### Microsoft.Surface.Battery.Prod.BatteryInfoEvent - -This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. +This event tracks protocol launching for Setting's URIs. The data collected with this event is used to help keep Windows up to date. The following fields are available: -- **batteryData** Battery Performance data. -- **batteryData.data()** Battery performance data. -- **BatteryDataSize:** Size of the battery performance data. -- **batteryInfo.data()** Battery performance data. -- **BatteryInfoSize:** Size of the battery performance data. -- **pszBatteryDataXml** Battery performance data. -- **szBatteryInfo** Battery performance data. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. -- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? -- **BPMHvtCountA** Current HVT count for BPM counter A. -- **BPMHvtCountB** Current HVT count for BPM counter B. -- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. -- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. -- **BPMTotalEngagedMinutes** Total time that BPM was engaged. -- **BPMTotalEntryEvents** Total number of times entering BPM. -- **ComponentId** Component ID. -- **FwVersion** FW version that created this log. -- **LogClass** Log Class. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** Log MGR version. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **ProductId** Product ID. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **cbTimeCell_Values** cb time for different cells. -- **ComponentId** Component ID. -- **cycleCount** Cycle Count. -- **deltaVoltage** Delta voltage. -- **eocChargeVoltage_Values** EOC Charge voltage values. -- **fullChargeCapacity** Full Charge Capacity. -- **FwVersion** FW version that created this log. -- **lastCovEvent** Last Cov event. -- **lastCuvEvent** Last Cuv event. -- **LogClass** LOG_CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG_MGR_VERSION. -- **manufacturerName** Manufacturer name. -- **maxChargeCurrent** Max charge current. -- **maxDeltaCellVoltage** Max delta cell voltage. -- **maxDischargeCurrent** Max discharge current. -- **maxTempCell** Max temp cell. -- **maxVoltage_Values** Max voltage values. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **minTempCell** Min temp cell. -- **minVoltage_Values** Min voltage values. -- **numberOfCovEvents** Number of Cov events. -- **numberOfCuvEvents** Number of Cuv events. -- **numberOfOCD1Events** Number of OCD1 events. -- **numberOfOCD2Events** Number of OCD2 events. -- **numberOfQmaxUpdates** Number of Qmax updates. -- **numberOfRaUpdates** Number of Ra updates. -- **numberOfShutdowns** Number of shutdowns. -- **pfStatus_Values** pf status values. -- **ProductId** Product ID. -- **qmax_Values** Qmax values for different cells. -- **SeqNum** Sequence Number. -- **TimeStamp** UTC seconds when log was created. -- **Ver** Schema version. - - -### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt - -This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **avgCurrLastRun** Average current last run. -- **avgPowLastRun** Average power last run. -- **batteryMSPN** BatteryMSPN -- **batteryMSSN** BatteryMSSN. -- **cell0Ra3** Cell0Ra3. -- **cell1Ra3** Cell1Ra3. -- **cell2Ra3** Cell2Ra3. -- **cell3Ra3** Cell3Ra3. -- **ComponentId** Component ID. -- **currentAtEoc** Current at Eoc. -- **firstPFstatusA** First PF status-A. -- **firstPFstatusB** First PF status-B. -- **firstPFstatusC** First PF status-C. -- **firstPFstatusD** First PF status-D. -- **FwVersion** FW version that created this log. -- **lastQmaxUpdate** Last Qmax update. -- **lastRaDisable** Last Ra disable. -- **lastRaUpdate** Last Ra update. -- **lastValidChargeTerm** Last valid charge term. -- **LogClass** LOG CLASS. -- **LogInstance** Log instance within class (1..n). -- **LogVersion** LOG MGR VERSION. -- **maxAvgCurrLastRun** Max average current last run. -- **maxAvgPowLastRun** Max average power last run. -- **MCUInstance** Instance id used to identify multiple MCU's in a product. -- **mfgInfoBlockB01** MFG info Block B01. -- **mfgInfoBlockB02** MFG info Block B02. -- **mfgInfoBlockB03** MFG info Block B03. -- **mfgInfoBlockB04** MFG info Block B04. -- **numOfRaDisable** Number of Ra disable. -- **numOfValidChargeTerm** Number of valid charge term. -- **ProductId** Product ID. -- **qmaxCycleCount** Qmax cycle count. -- **SeqNum** Sequence Number. -- **stateOfHealthEnergy** State of health energy. -- **stateOfHealthFcc** State of health Fcc. -- **stateOfHealthPercent** State of health percent. -- **TimeStamp** UTC seconds when log was created. -- **totalFwRuntime** Total FW runtime. -- **updateStatus** Update status. -- **Ver** Schema version. - - -### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 - -This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **HostResetCause** Host reset cause. -- **PchResetCause** PCH reset cause. -- **SamResetCause** SAM reset cause. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation - -This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantAppFilePath** Path to Update Assistant app. -- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. -- **UpdateAssistantExeName** Exe name running as Update Assistant. -- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. -- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. -- **UpdateAssistantIsPushing** True if the update is pushing to the device. -- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. -- **UpdateAssistantOsVersion** Update Assistant OS Version. -- **UpdateAssistantPartnerId** Partner Id for Assistant application. -- **UpdateAssistantReportPath** Path to report for Update Assistant. -- **UpdateAssistantStartTime** Start time for UpdateAssistant. -- **UpdateAssistantUiType** The type of UI whether default or OOBE. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. -- **UpdateAssistantVersionInfo** Information about Update Assistant application. - - -### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState - -This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **CV** The correlation vector. -- **GlobalEventCounter** The global event counter for all telemetry on the device. -- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. -- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat -- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. -- **UpdateAssistantStateDownloading** True at the start Downloading. -- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. -- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. -- **UpdateAssistantStateInstalling** True at the start of Installing. -- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **activationSource** Where activation is initiated. +- **uriString** URI of the launching protocol. ## Privacy consent logging events @@ -5411,6 +5285,182 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **ComponentId** Component ID. +- **CTTEqvTimeat35C** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 80% SOC. +- **CTTEqvTimeat35CinBPM** Poll time every minute. Add to lifetime counter based on temperature. Only count time above 55% SOC and when device is in BPM. Round up. +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **newSnFruUpdateCount** New Sn FRU Update Count. +- **newSnUpdateCount** New Sn Update Count. +- **ProductId** Product ID. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GGExt + +This event includes the hardware level data about battery performance. The data The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **avgCurrLastRun** Average current last run. +- **avgPowLastRun** Average power last run. +- **batteryMSPN** BatteryMSPN +- **batteryMSSN** BatteryMSSN. +- **cell0Ra3** Cell0Ra3. +- **cell1Ra3** Cell1Ra3. +- **cell2Ra3** Cell2Ra3. +- **cell3Ra3** Cell3Ra3. +- **ComponentId** Component ID. +- **currentAtEoc** Current at Eoc. +- **firstPFstatusA** First PF status-A. +- **firstPFstatusB** First PF status-B. +- **firstPFstatusC** First PF status-C. +- **firstPFstatusD** First PF status-D. +- **FwVersion** FW version that created this log. +- **lastQmaxUpdate** Last Qmax update. +- **lastRaDisable** Last Ra disable. +- **lastRaUpdate** Last Ra update. +- **lastValidChargeTerm** Last valid charge term. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **maxAvgCurrLastRun** Max average current last run. +- **maxAvgPowLastRun** Max average power last run. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **mfgInfoBlockB01** MFG info Block B01. +- **mfgInfoBlockB02** MFG info Block B02. +- **mfgInfoBlockB03** MFG info Block B03. +- **mfgInfoBlockB04** MFG info Block B04. +- **numOfRaDisable** Number of Ra disable. +- **numOfValidChargeTerm** Number of valid charge term. +- **ProductId** Product ID. +- **qmaxCycleCount** Qmax cycle count. +- **SeqNum** Sequence Number. +- **stateOfHealthEnergy** State of health energy. +- **stateOfHealthFcc** State of health Fcc. +- **stateOfHealthPercent** State of health percent. +- **TimeStamp** UTC seconds when log was created. +- **totalFwRuntime** Total FW runtime. +- **updateStatus** Update status. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. ## Update Assistant events @@ -5888,6 +5938,90 @@ The following fields are available: - **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. - **PackageVersion** Current package version of remediation. +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantCompatCheckResult + +This event provides the result of running the compatibility check for update assistant. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantCompatCheckResultOutput** Output of compatibility check for update assistant. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantDeviceInformation + +This event provides basic information about the device where update assistant was run. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantAppFilePath** Path to Update Assistant app. +- **UpdateAssistantDeviceId** Device Id of the Update Assistant Candidate Device. +- **UpdateAssistantExeName** Exe name running as Update Assistant. +- **UpdateAssistantExternalId** External Id of the Update Assistant Candidate Device. +- **UpdateAssistantIsDeviceCloverTrail** True/False is the device clovertrail. +- **UpdateAssistantIsPushing** True if the update is pushing to the device. +- **UpdateAssistantMachineId** Machine Id of the Update Assistant Candidate Device. +- **UpdateAssistantOsVersion** Update Assistant OS Version. +- **UpdateAssistantPartnerId** Partner Id for Assistant application. +- **UpdateAssistantReportPath** Path to report for Update Assistant. +- **UpdateAssistantStartTime** Start time for UpdateAssistant. +- **UpdateAssistantTargetOSVersion** Update Assistant Target OS Version. +- **UpdateAssistantUiType** The type of UI whether default or OOBE. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. +- **UpdateAssistantVersionInfo** Information about Update Assistant application. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantEULAProperty + +This event is set to true at the start of AcceptEULA. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantEULAPropertyGeoId** Geo Id used to show EULA. +- **UpdateAssistantEULAPropertyRegion** Region used to show EULA. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateAcceptEULA** True at the start of AcceptEULA. +- **UpdateAssistantStateCheckingCompat** True at the start of Checking Compat +- **UpdateAssistantStateCheckingUpgrade** True at the start of CheckingUpgrade. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePerformRestart** True at the start of PerformRestart. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantStateShowingUpdate** True at the start of Showing Update. +- **UpdateAssistantStateWelcomeToNewOS** True at the start of WelcomeToNewOS. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantUserActionDetails + +This event provides details about user action. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantUserActionExitingState** Exiting state name user performed action on. +- **UpdateAssistantUserActionHResult** HRESULT of user action. +- **UpdateAssistantUserActionState** State name user performed action on. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. ## Update events diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index 25fc676681..56331c2e27 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -17,7 +17,7 @@ items: - name: Required Windows 11 diagnostic data events and fields href: required-windows-11-diagnostic-events-and-fields.md - - name: Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields + - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields href: basic-level-windows-diagnostic-events-and-fields-1903.md @@ -47,6 +47,8 @@ href: essential-services-and-connected-experiences.md - name: Connection endpoints for Windows 11 href: manage-windows-11-endpoints.md + - name: Connection endpoints for Windows 10, version 21H2 + href: manage-windows-21h2-endpoints.md - name: Connection endpoints for Windows 10, version 21H1 href: manage-windows-21H1-endpoints.md - name: Connection endpoints for Windows 10, version 20H2 diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 1576121792..711144eaff 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -19,6 +19,8 @@ ms.reviewer: Applies to: - Windows 11 +- Windows 10, version 21H2 +- Windows 10, version 21H1 - Windows 10, version 20H2 - Windows 10, version 2004 - Windows 10, version 1909 diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 44c241546e..3688226a4f 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -23,6 +23,7 @@ The Windows operating system improves most existing security features in the ope **See also:** +- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications) - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) @@ -58,9 +59,9 @@ Although CNG sounds like a mundane starting point, it illustrates some of the ad The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively: -• **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. +- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. -• **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. +- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. @@ -80,12 +81,11 @@ The adoption of new authentication technology requires that identity providers a Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): -• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. +- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. -• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. - - +- **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. +:::image type="content" alt-text="TPM Capabilities." source="images/tpm-capabilities.png" lightbox="images/tpm-capabilities.png"::: *Figure 1: TPM Cryptographic Key Management* For Windows Hello for Business, Microsoft can fill the role of the identity CA. Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned. @@ -96,9 +96,9 @@ BitLocker provides full-volume encryption to protect data at rest. The most comm In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: -• **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. +- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. -• **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). +- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. @@ -122,12 +122,11 @@ TPM measurements are designed to avoid recording any privacy-sensitive informati The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot: -• **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. +- **Remote Attestation**. Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process. When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. - - +:::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png"::: *Figure 2: Process used to create evidence of boot software and configuration using a TPM* @@ -147,18 +146,20 @@ The resulting solution provides defense in depth, because even if malware runs i ## Conclusion -The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Windows delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. +The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features. + +
|Feature | Benefits when used on a system with a TPM| |---|---| -| Platform Crypto Provider | • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
• The TPM’s dictionary attack mechanism protects PIN values to use a certificate. -| Virtual Smart Card | • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.| -| Windows Hello for Business | • Credentials provisioned on a device cannot be copied elsewhere.
• Confirm a device’s TPM before credentials are provisioned. | -| BitLocker Drive Encryption | • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. -|Device Encryption | • With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection. -| Measured Boot | • A hardware root of trust contains boot measurements that help detect malware during remote attestation. -| Health Attestation | • MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. -| Credential Guard | • Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. +| Platform Crypto Provider |- If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
- The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
- Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
- Credentials provisioned on a device cannot be copied elsewhere.
- Confirm a device’s TPM before credentials are provisioned.
- Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
- With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.
- A hardware root of trust contains boot measurements that help detect malware during remote attestation.
- MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365.
- Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index e401d19506..c5a7d50e68 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -32,7 +32,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a - Generate, store, and limit the use of cryptographic keys. -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. +- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it. - Help ensure platform integrity by taking and storing security measurements. diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index b7b6b4220a..176668f48e 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -14,6 +14,8 @@ - name: Windows 10 expanded: true items: + - name: What's new in Windows 10, version 21H2 + href: whats-new-windows-10-version-21H2.md - name: What's new in Windows 10, version 21H1 href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml index aaabcc56ee..d7d88350ef 100644 --- a/windows/whats-new/ltsc/TOC.yml +++ b/windows/whats-new/ltsc/TOC.yml @@ -1,6 +1,8 @@ - name: Windows 10 Enterprise LTSC href: index.md items: + - name: What's new in Windows 10 Enterprise LTSC 2021 + href: whats-new-windows-10-2021.md - name: What's new in Windows 10 Enterprise LTSC 2019 href: whats-new-windows-10-2019.md - name: What's new in Windows 10 Enterprise LTSC 2016 diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 7e088e312d..28bc3db429 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -8,7 +8,7 @@ ms.sitesec: library audience: itpro author: greg-lindsay ms.author: greglin -manager: laurawi +manager: dougeby ms.localizationpriority: low ms.topic: article --- @@ -22,6 +22,7 @@ ms.topic: article This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel. +[What's New in Windows 10 Enterprise LTSC 2021](whats-new-windows-10-2021.md)
[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md) @@ -35,14 +36,15 @@ The following table summarizes equivalent feature update versions of Windows 10 | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | | Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | +| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 21H2 | 11/16/2021 | ->[!NOTE] ->The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. +> [!NOTE] +> The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period. ->[!IMPORTANT] ->The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). +> [!IMPORTANT] +> The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 461407d93c..20366cd3bd 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. ## Security @@ -48,7 +48,7 @@ This version of Windows 10 includes security improvements for threat protection, The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. - +[  ](../images/wdatp.png#lightbox) ##### Attack surface reduction @@ -188,26 +188,6 @@ This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocke This feature will soon be enabled on Olympia Corp as an optional feature. -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this: - -1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. - -2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group. - - > [!IMPORTANT] - > The encryption policy must be assigned to **devices** in the group, not users. - -3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - > [!IMPORTANT] - > If the ESP is not enabled, the policy will not apply before encryption starts. - ### Identity protection Improvements have been added are to Windows Hello for Business and Credential Guard. @@ -288,24 +268,11 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - +> [!div class="mx-imgBorder"] +>  ## Deployment -### Windows Autopilot - -[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. - -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) or this article for updated information. - -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices). - -#### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset). - ### MBR2GPT.EXE MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md new file mode 100644 index 0000000000..6364bc3fd1 --- /dev/null +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -0,0 +1,248 @@ +--- +title: What's new in Windows 10 Enterprise LTSC 2021 +ms.reviewer: +manager: dougeby +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise LTSC 2021 + +**Applies to** +- Windows 10 Enterprise LTSC 2021 + +This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +> [!NOTE] +> Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
+> The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +Windows 10 Enterprise LTSC 2021 builds on Windows 10 Enterprise LTSC 2019, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. + +The Windows 10 Enterprise LTSC 2021 release includes the cumulative enhancements provided in Windows 10 versions 1903, 1909, 2004, 21H1, and 21H2. Details about these enhancements are provided below. + +## Lifecycle + +> [!IMPORTANT] +> Windows 10 Enterprise LTSC 2021 has a 5 year lifecycle ([IoT](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2) continues to have a [10 year lifecycle](/windows/iot/product-family/product-lifecycle?tabs=2021)). Thus, the LTSC 2021 release is not a direct replacement for LTSC 2019, which has a 10 year lifecycle. + +For more information about the lifecycle for this release, see [The next Windows 10 Long Term Servicing Channel (LTSC) release](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-next-windows-10-long-term-servicing-channel-ltsc-release/ba-p/2147232). + +## Hardware security + +### System Guard + +[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets. + +In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. Based on the platform, the underlying hardware and firmware, there are three versions of SMM Firmware Protection (one, two and three), with each subsequent versions offering stronger protections than the preceding ones. + +There are already devices in the market today that offer SMM Firmware Protection versions one and two. SMM Firmware Protection version three This feature is currently forward-looking and requires new hardware that will be made available soon. + +## Operating system security + +### System security + +[Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations. + +### Encryption and data protection + +BitLocker and Mobile Device Management (MDM) with Azure Active Directory work together to protect your devices from accidental password disclosure. Now, a new key-rolling feature securely rotates recovery passwords on MDM-managed devices. The feature is activated whenever Microsoft Intune/MDM tools or a recovery password is used to unlock a BitLocker protected drive. As a result, the recovery password will be better protected when users manually unlock a BitLocker drive. + +### Network security + +#### Windows Defender Firewall + +Windows Defender Firewall now offers the following benefits: + +**Reduce risk**: Windows Defender Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack. + +**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. + +**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). + +The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows. + +Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools. + +Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97). + +### Virus and threat protection + +[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses. +[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. + - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. + - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. +[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. + +**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. + +**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected. + +**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place. + +**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies. + +**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR). + +> [!NOTE] +> The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release. + +## Application security + +### App isolation + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. + +#### Microsoft Defender Application Guard + +[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: + - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. + - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + + To try this extension: + 1. Configure Application Guard policies on your device. + 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. + 3. Follow any additional configuration steps on the extension setup page. + 4. Reboot the device. + 5. Navigate to an untrusted site in Chrome and Firefox. + + **Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. + +Application Guard performance is improved with optimized document opening times: +- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link. +- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle. +- The performance of Robocopy is improved when copying files over 400 MB in size. + +[Edge support for Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +**Application Guard now supports Office**: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device. + +### Application Control + +[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker. + - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. + - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
+ This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker. + - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. + +## Identity and privacy + +### Secured identity + +Windows Hello enhancements include: +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. +- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. +- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. +- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. +- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +### Credential protection + +#### Windows Defender Credential Guard + +[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X. + +### Privacy controls + +[Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. + +## Cloud Services + +### Microsoft Endpoint Manager + +Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). + +### Configuration Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +#### Microsoft Intune + +Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles. + +A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). + +Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group). + +For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new). + +### Mobile Device Management + +Mobile Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy. + +For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) + +Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a performance improvement to support remote work scenarios: +- An issue is fixed that caused changes by an Active Directory (AD) administrator to user or computer group memberships to propagate slowly. Although the access token eventually updates, these changes might not appear when the administrator uses gpresult /r or gpresult /h to create a report. + +#### Key-rolling and Key-rotation + +This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. + +## Deployment + +### SetupDiag + +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +### Reserved storage + +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. + +### Windows Assessment and Deployment Toolkit (ADK) + +A new [Windows ADK](/windows-hardware/get-started/adk-install) is available for Windows 11 that also supports Windows 10, version 21H2. + +### Microsoft Deployment Toolkit (MDT) + +For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes). + +### Windows Setup + +Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have improved language handling. + +Improvements in Windows Setup with this release also include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +## Microsoft Edge + +Microsoft Edge Browser support is now included in-box. + +### Microsoft Edge kiosk mode + +Microsoft Edge kiosk mode is available for LTSC releases starting in Windows 10 Enterprise 2021 LTSC and [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/product-family/what's-new-in-windows-10-iot-enterprise-21h2). + +Microsoft Edge kiosk mode offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available: +- Digital/Interactive Signage experience - Displays a specific site in full-screen mode. +- Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge. +- Both experiences are running a Microsoft Edge InPrivate session, which protects user data. + +## Windows Subsystem for Linux + +Windows Subsystem for Linux (WSL) is be available in-box. + +## Networking + +WPA3 H2E standards are supported for enhanced Wi-Fi security. + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 74eb1725e2..e3e4fd0740 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -35,21 +35,13 @@ This article lists new and updated features and content that are of interest to - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. -### Windows 10 Subscription Activation - -Windows 10 Education support has been added to Windows 10 Subscription Activation. - -With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation). - ### SetupDiag -[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available. - -SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ### Reserved storage -[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. +[**Reserved storage**](https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Windows-10-and-reserved-storage/ba-p/428327): Reserved storage sets aside disk space to be used by updates, apps, temporary files, and system caches. It improves the day-to-day function of your PC by ensuring critical OS functions always have access to disk space. Reserved storage will be enabled automatically on new PCs with Windows 10, version 1903 or later pre-installed, and for clean installs. It will not be enabled when updating from a previous version of Windows 10. ## Servicing @@ -102,7 +94,7 @@ The draft release of the [security configuration baseline settings](/archive/blo - [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: 1. Configure WDAG policies on your device. diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md new file mode 100644 index 0000000000..af8d6c1c45 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -0,0 +1,78 @@ +--- +title: What's new in Windows 10, version 21H2 for IT pros +description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. +ms.reviewer: +manager: dougeby +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: mandia +author: MandiOhlinger +ms.localizationpriority: medium +ms.topic: article +--- + +# What's new in Windows 10, version 21H2 + +**Applies to**: + +- Windows 10, version 21H2 + +Windows 10, version 21H2 is the next feature update. This article lists the new and updated features IT Pros should know. Windows 10, version 21H2 is also known as the Windows 10 November 2021 Update. It includes all features and fixes in previous cumulative updates to Windows 10, version 21H1. + +Windows 10, version 21H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule: + +- **Windows 10 Professional**: Serviced for 24 months from the release date. +- **Windows 10 Enterprise**: Serviced for 30 months from the release date. + +Windows 10, version 21H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/2021/11/16/how-to-get-the-windows-10-november-2021-update/) and [IT tools to support Windows 10, version 21H2 blog](https://aka.ms/tools-for-21h2). + +Devices running Windows 10, versions 2004, 20H2, and 21H1 can update quickly to version 21H2 using an enablement package. For more information, see [Feature Update through Windows 10, version 21H2 Enablement Package](https://support.microsoft.com/help/5003791). + +To learn more about the status of the November 2021 Update rollout, known issues, and new information, see [Windows release health](/windows/release-health/). + +## Updates and servicing + +Windows 10, version 21H2 feature updates are installed annually using the General Availability Channel. Previous feature updates were installed using the Semi-Annual Channel. For more information on this change, see the [How to get the Windows 10 November 2021 Update](https://blogs.windows.com/windowsexperience/?p=176473). + +Quality updates are still installed monthly on patch Tuesday. + +For more information, see: + +- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions) +- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels) + +## GPU compute support for the Windows Subsystem for Linux + +Starting with Windows 10 version 21H2, the Windows Subsystem for Linux has full graphics processing unit (GPU) compute support. It was available to Windows Insiders, and is now available to everyone. The Linux binaries can use your Windows GPU, and run different workloads, including artificial intelligence (AI) and machine learning (ML) development workflows. + +For more information, and what GPU compute support means for you, see the [GPU accelerated ML training inside the Windows Subsystem for Linux blog post](https://blogs.windows.com/windowsdeveloper/2020/06/17/gpu-accelerated-ml-training-inside-the-windows-subsystem-for-linux/). + +## Get the latest CSPs + +The [KB5005101 September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers. + +These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis. + +For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). + +## Apps appear local with Azure Virtual Desktop + +Azure virtual desktop is a Windows client OS hosted in the cloud, and runs virtual apps. You use the cloud to deliver virtual apps in real time, and as-needed. Users use the apps as if they're installed locally. + +You can create Azure virtual desktops that run Windows 10 version 21H2. + +For more information, see: + +- [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview) +- [What's new in Azure Virtual Desktop?](/azure/virtual-desktop/whats-new) +- [Set up MSIX app attach with the Azure portal](/azure/virtual-desktop/app-attach-azure-portal) + +## Wi-Fi 6E support + +Also known as 802.11ax, Wi-Fi 6E support is built in to Windows 10, version 21H2. Wi-Fi 6E has new channel frequencies that are dedicated to 6E devices, and is more performant for apps that use more bandwidth. + +## Related articles + +- [Release notes for Microsoft Edge Stable Channel](/deployedge/microsoft-edge-relnote-stable-channel) diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md index 4eafe42218..af406cd7e7 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-whats-new.md @@ -149,7 +149,7 @@ For more information on the security features you can configure, manage, and enf - Your Windows 10 apps will also work on Windows 11. **[App Assure](https://www.microsoft.com/fasttrack/microsoft-365/app-assure)** is also available if there are some issues. - You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10). + You can continue to use **MSIX packages** for your UWP, Win32, WPF, and WinForm desktop application files. Continue to use **Windows Package Manager** to install Windows apps. You can create **Azure virtual desktops** that run Windows 11. Use **Azure Virtual desktop with MSIX app attach** to virtualize desktops and apps. For more information on these features, see [Overview of apps on Windows client devices](/windows/application-management/apps-in-windows-10). In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in. - - -
| Attribute | -Description | -Supported browser | -
|---|---|---|
| allow-redirect | -A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
- Example - -<site url="contoso.com/travel"> - <open-in allow-redirect="true">IE11</open-in> -</site>-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. |
-Internet Explorer 11 and Microsoft Edge | -
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | -Internet Explorer 11 and Microsoft Edge | -
| url | -Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note -Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com. - Example - -<site url="contoso.com:8080"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site url="contoso.com/travel">In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.| Internet Explorer 11 and Microsoft Edge| +|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | Internet Explorer 11 and Microsoft Edge| +|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<open-in allow-redirect="true">IE11 </open-in>
</site>
**Note**
Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com).
**Example**
<site url="contoso.com:8080">In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge| ### Deprecated attributes These v.1 version schema attributes have been deprecated in the v.2 version of the schema: -
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
| Deprecated attribute | -New attribute | -Replacement example | -
|---|---|---|
| <forceCompatView> | -<compat-mode> | -Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode> | -
| <docMode> | -<compat-mode> | -Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode> | -
| <doNotTransition> | -<open-in> | -Replace <doNotTransition="true"> with <open-in>none</open-in> | -
| <domain> and <path> | -<site> | -Replace:
--<emie> - <domain exclude="false">contoso.com</domain> -</emie>-With: - -<site url="contoso.com"/> - <compat-mode>IE8Enterprise</compat-mode> -</site>--AND- -Replace: - -<emie> - <domain exclude="true">contoso.com - <path exclude="false" forceCompatView="true">/about</path> - </domain> -</emie>-With: - -<site url="contoso.com/about"> - <compat-mode>IE7Enterprise</compat-mode> -</site> |
-
<doNotTransition="true"> with <open-in>none</open-in>| +|<domain> and <path>|<site>|Replace:
<emie>With:
<domain exclude="false">contoso.com</domain>
</emie>
<site url="contoso.com"/>**-AND-**
<compat-mode>IE8Enterprise</compat-mode>
</site>
Replace:
<emie>
<domain exclude="true">contoso.com
<path exclude="false" forceCompatView="true">/about</path>
</domain>
</emie>
With:
<site url="contoso.com/about">
<compat-mode>IE7Enterprise</compat-mode>
</site>| While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We don’t recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features. diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 65fbb8eaaf..8cef068687 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br |Data point |IE11 |IE10 |IE9 |IE8 |Description | |------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| -|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | -|Domain | X | X | X | X |Top-level domain of the browsed site. | -|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | -|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | -|Document mode reason | X | X | | |The reason why a document mode was set by IE. | -|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | -|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | -|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | -|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | -|Number of visits | X | X | X | X |Number of times a site has been visited. | -|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | +|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. | +|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. | +|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. | +|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. | +|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. | +|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. | +|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. | >**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. @@ -205,68 +205,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you You can use both the WMI and XML settings individually or together: **To turn off Enterprise Site Discovery** -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -Off | -
| Turn on Site Discovery XML output | -Blank | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -On | -
| Turn on Site Discovery XML output | -Blank | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -Off | -
| Turn on Site Discovery XML output | -XML file path | -
| Setting name | -Option | -
|---|---|
| Turn on Site Discovery WMI output | -On | -
| Turn on Site Discovery XML output | -XML file path | -
| Element | -Description | -Supported browser | -
|---|---|---|
| <rules> | -Root node for the schema.
- Example - -<rules version="205"> - <emie> - <domain>contoso.com</domain> - </emie> -</rules> |
-Internet Explorer 11 and Microsoft Edge | -
| <emie> | -The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
- Example - -<rules version="205"> - <emie> - <domain>contoso.com</domain> - </emie> -</rules>--or- - For IPv6 ranges: <rules version="205"> - <emie> - <domain>[10.122.34.99]:8080</domain> - </emie> - </rules>--or- - For IPv4 ranges: <rules version="205"> - <emie> - <domain>10.122.34.99:8080</domain> - </emie> - </rules> |
-Internet Explorer 11 and Microsoft Edge | -
| <docMode> | -The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.
- Example - -<rules version="205"> - <docMode> - <domain docMode="7">contoso.com</domain> - </docMode> -</rules> |
-Internet Explorer 11 | -
| <domain> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
- Example - -<emie> - <domain>contoso.com:8080</domain> -</emie> |
-Internet Explorer 11 and Microsoft Edge | -
| <path> | -A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
- Example - -<emie> - <domain exclude="true">fabrikam.com - <path exclude="false">/products</path> - </domain> -</emie> -Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules> |Internet Explorer 11 and Microsoft Edge | +|<emie> |The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
**Example**<rules version="205">
<emie>
<domain>contoso.com</domain>
</emie>
</rules>
**or**
For IPv6 ranges:
<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules>
**or**
For IPv4 ranges:<rules version="205">
<emie>
<domain>[10.122.34.99]:8080</domain>
</emie>
</rules> | Internet Explorer 11 and Microsoft Edge | +|<docMode> |The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the docMode section that uses the same value as a <domain> element in the emie section, the emie element is applied.
**Example**
<rules version="205">
<docmode>
<domain docMode="7">contoso.com</domain>
</docmode>
</rules> |Internet Explorer 11 | +|<domain> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <domain> element will overrule any additional <domain> elements that use the same value for the section. You can use port numbers for this element.
**Example**
<emie>
<domain>contoso.com:8080</domain>
</emie> |Internet Explorer 11 and Microsoft Edge | +|<path> |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The <path> element is a child of the <domain> element. Additionally, the first <path> element will overrule any additional <path> elements in the schema section.
**Example**
<emie>
<domain exclude="true">fabrikam.com
<path exclude="false">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge | ### Schema attributes This table includes the attributes used by the Enterprise Mode schema. -
| Attribute | -Description | -Supported browser | -
|---|---|---|
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <rules> element. | -Internet Explorer 11 and Microsoft Edge | -
| exclude | -Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the <domain> and <path> elements in the <emie> section. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain exclude="false">fabrikam.com - <path exclude="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. |
-Internet Explorer 11 | -
| docMode | -Specifies the document mode to apply. This attribute is only supported on <domain> or <path> elements in the <docMode> section.
- - Example: --<docMode> - <domain>fabrikam.com - <path docMode="9">/products</path> - </domain> -</docMode> -Where https://fabrikam.com loads in IE11 document mode, but https://fabrikam.com/products uses IE9 document mode. |
-Internet Explorer 11 | -
| doNotTransition | -Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain doNotTransition="false">fabrikam.com - <path doNotTransition="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com opens in the IE11 browser, but https://fabrikam.com/products loads in the current browser (eg. Microsoft Edge). |
-Internet Explorer 11 and Microsoft Edge | -
| forceCompatView | -Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
- - Example: --<emie> - <domain exclude="true">fabrikam.com - <path forceCompatView="true">/products</path> - </domain> -</emie> -Where https://fabrikam.com does not use Enterprise Mode, but https://fabrikam.com/products uses IE7 Enterprise Mode. |
-Internet Explorer 11 | -
**Example**
<emie>
<domain exclude="false">fabrikam.com
<path exclude="true">/products</path>
</domain>
</emie>
Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
+|docMode|Specifies the document mode to apply. This attribute is only supported on <domain> or <path>elements in the <docMode> section.
**Example**
<docMode>
<domain exclude="false">fabrikam.com
<path docMode="9">/products</path>
</domain>
</docMode>|Internet Explorer 11| +|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all <domain> or <path> elements. If this attribute is absent, it defaults to false.
**Example**<emie>
<domain doNotTransition="false">fabrikam.com
<path doNotTransition="true">/products</path>
</domain>
</emie>Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge| +|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on <domain> or <path> elements in the <emie> section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude="true"), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
**Example**<emie>
<domain exclude="true">fabrikam.com
<path forcecompatview="true">/products</path>
</domain>
</emie>Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11| ### Using Enterprise Mode and document mode together If you want to use both Enterprise Mode and document mode together, you need to be aware that <emie> entries override <docMode> entries for the same domain. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 299c6c093f..825646b237 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema. ### Updated schema elements This table includes the elements used by the v.2 version of the Enterprise Mode schema. -
| Element | -Description | -Supported browser | -
|---|---|---|
| <site-list> | -A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.
- Example - -<site-list version="205"> - <site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> - </site> -</site-list> |
-Internet Explorer 11 and Microsoft Edge | -
| <site> | -A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
- Example - -<site url="contoso.com"> - <compat-mode>default</compat-mode> - <open-in>none</open-in> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -You can also use the self-closing version, <url="contoso.com" />, which also sets: -
|
-Internet Explorer 11 and Microsoft Edge | -
| <compat-mode> | -A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
- Example - -<site url="contoso.com"> - <compat-mode>IE8Enterprise</compat-mode> -</site>--or- - For IPv4 ranges: <site url="10.122.34.99:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> --or- - For IPv6 ranges: <site url="[10.122.34.99]:8080"> - <compat-mode>IE8Enterprise</compat-mode> -<site> -Where: -
- - - |
-Internet Explorer 11 | -
| <open-in> | -A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
- Example - -<site url="contoso.com"> - <open-in>none</open-in> -</site> -Where: -
- - |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site-list version="205">| Internet Explorer 11 and Microsoft Edge | +|<site> |A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
**Example**
<site url="contoso.com">
<compat-mode>default</compat-mode>
<open-in>none</open-in>
</site>
**or** For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
You can also use the self-closing version, <url="contoso.com" />, which also sets:
**Example**
**or**
<site url="contoso.com">
<compat-mode>IE8Enterprise</compat-mode>
</site>
For IPv4 ranges:
<site url="10.122.34.99:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
**or** For IPv6 ranges:
<site url="[10.122.34.99]:8080">
<compat-mode>IE8Enterprise</compat-mode>
<site>
Where
**Examples**
<site url="contoso.com">
<open-in>none</open-in>
</site>
Where
| Attribute | -Description | -Supported browser | -
|---|---|---|
| allow-redirect | -A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
- Example - -<site url="contoso.com/travel"> - <open-in allow-redirect="true">IE11</open-in> -</site>-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. |
-Internet Explorer 11 and Microsoft Edge | -
| version | -Specifies the version of the Enterprise Mode Site List. This attribute is supported for the <site-list> element. | -Internet Explorer 11 and Microsoft Edge | -
| url | -Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
- Note -Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. - Example - -<site url="contoso.com:8080"> - <compat-mode>IE8Enterprise</compat-mode> - <open-in>IE11</open-in> -</site>-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. |
-Internet Explorer 11 and Microsoft Edge | -
**Example**
<site url="contoso.com/travel">In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
<open-in allow-redirect="true">IE11 </open-in>
</site>
| DHA-Service type | -Description | -Operation cost | -
|---|---|---|
| Device Health Attestation – Cloud (DHA-Cloud) |
-DHA-Cloud is a Microsoft owned and operated DHA-Service that is: -
| No cost | - -
| Device Health Attestation – On Premise (DHA-OnPrem) |
-DHA-OnPrem refers to DHA-Service that is running on premises: -
|
-The operation cost of running one or more instances of Server 2016 on-premises. | -
| Device Health Attestation - Enterprise-Managed Cloud (DHA-EMC) |
-DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. -
|
-The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. | -
The root node for the device HealthAttestation configuration service provider.
+ +The root node for the device HealthAttestation configuration service provider. **VerifyHealth** (Required) -Notifies the device to prepare a device health verification request.
-The supported operation is Execute.
+Notifies the device to prepare a device health verification request. + +The supported operation is Execute. **Status** (Required) -Provides the current status of the device health request.
-The supported operation is Get.
+Provides the current status of the device health request. -The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes.
+The supported operation is Get. + +The following list shows some examples of supported values. For the complete list of status, see Device HealthAttestation CSP status and error codes. - 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -658,42 +582,47 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup **ForceRetrieve** (Optional) -Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-Boolean value. The supported operation is Replace.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service. + +Boolean value. The supported operation is Replace. **Certificate** (Required) -Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64. The supported operation is Get.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server. + +Value type is b64. The supported operation is Get. **Nonce** (Required) -Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server. -The supported operations are Get and Replace.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes. + +The supported operations are Get and Replace. **CorrelationId** (Required) -Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting. + +Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get. **HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service. + +Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com. **TpmReadyStatus** (Required) -Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-Value type is integer. The supported operation is Get.
-### **DHA-CSP integration steps** +Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state. +Value type is integer. The supported operation is Get. + +### DHA-CSP integration steps The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): - 1. [Verify HTTPS access](#verify-access) 2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) 3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) @@ -705,14 +634,13 @@ The following list of validation and development tasks are required for integrat Each step is described in detail in the following sections of this topic. -### **Step 1: Verify HTTPS access** - +### Step 1: Verify HTTPS access Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: -``` syntax +```console PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 CONNECTED(000001A8) --- @@ -757,8 +685,7 @@ SSL-Session: Verify return code: 20 (unable to get local issuer certificate) ``` - -### **Step 2: Assign an enterprise trusted DHA-Service** +### Step 2: Assign an enterprise trusted DHA-Service There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) @@ -783,9 +710,7 @@ The following example shows a sample call that instructs a managed device to com ``` - -### **Step 3: Instruct client to prepare health data for verification** - +### Step 3: Instruct client to prepare health data for verification Send a SyncML call to start collection of the DHA-Data. @@ -811,7 +736,7 @@ The following example shows a sample call that triggers collection and verificat ``` -### **Step 4: Take action based on the clients response** +### Step 4: Take action based on the clients response After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. @@ -839,7 +764,7 @@ Here is a sample alert that is issued by DHA_CSP: ``` - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes, see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). -### **Step 5: Instruct the client to forward health attestation data for verification** +### Step 5: Instruct the client to forward health attestation data for verification Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. @@ -876,39 +801,40 @@ Here is an example: ``` -### **Step 6: Forward device health attestation data to DHA-service** - +### Step 6: Forward device health attestation data to DHA-service In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). -When the MDM-Server receives the above data, it must: +When the MDM-Server receives the above data, it must: + - Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call. - Decode the XML formatted data blob it receives from the device - Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format: -```xml - -The date and time DHA-report was evaluated or issued to MDM.
+ +The date and time DHA-report was evaluated or issued to MDM. **AIKPresent** -When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn't have an EK certificate.
-If AIKPresent = True (1), then allow access.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate. -If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = True (1), then allow access. -- Disallow all access -- Disallow access to HBI assets -- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. -- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. +If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies: + +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has hibernated or resumed.
+ +This attribute reports the number of times a PC device has hibernated or resumed. **RestartCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has rebooted
+ +This attribute reports the number of times a PC device has rebooted. **DEPPolicy** -A device can be trusted more if the DEP Policy is enabled on the device.
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+A device can be trusted more if the DEP Policy is enabled on the device. -DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on. + +DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access. -If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -993,15 +924,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. -If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. -If BitLockerStatus = 1 (On), then allow access.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. -If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 1 (On), then allow access. + +If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1009,11 +941,12 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment. -If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion = [CurrentVersion], then allow access. + +If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1021,11 +954,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action. -If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access. + +If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1033,11 +967,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-If SecureBootEnabled = 1 (True), then allow access.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot. -If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecureBootEnabled = 1 (True), then allow access. + +If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1045,16 +980,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debug-enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development. + +Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access. -If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1062,11 +998,12 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development. -If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 0 (False), then allow access. + +If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1074,15 +1011,16 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -When code integrity is enabled, code execution is restricted to integrity verified code.
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+When code integrity is enabled, code execution is restricted to integrity verified code. -On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges. -If CodeIntegrityEnabled = 1 (True), then allow access.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 1 (True), then allow access. + +If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets @@ -1090,16 +1028,17 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot. + +Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script: - To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access. -If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI and MBI assets @@ -1107,33 +1046,36 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-If SafeMode = 0 (False), then allow access.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started. -If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 0 (False), then allow access. + +If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-If WinPE = 0 (False), then allow access.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup. -If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 0 (False), then allow access. + +If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation. **ELAMDriverLoaded** (Windows Defender) -To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot.
+To use this reporting feature, you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize. -If a device is expected to use a third-party antivirus program, ignore the reported state.
+In the current release, this attribute only monitors/reports if a Microsoft first-party ELAM (Windows Defender) was loaded during initial boot. -If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use a third-party antivirus program, ignore the reported state. -If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. + +If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device: - Disallow all access - Disallow access to HBI assets @@ -1141,61 +1083,63 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access. -If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
-VSM can be enabled by using the following command in WMI or a PowerShell script:
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering. -bcdedit.exe /set {current} vsmlaunchtype auto
+VSM can be enabled by using the following command in WMI or a PowerShell script: -If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+`bcdedit.exe /set {current} vsmlaunchtype auto` + +If VSMEnabled = 1 (True), then allow access. +If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies: - Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+ +This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required. **BootAppSVN** -This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-If reported BootAppSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device -If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN equals an accepted value, then allow access. + +If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-If reported BootManagerSVN equals an accepted value, then allow access.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device. -If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN equals an accepted value, then allow access. + +If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -This attribute identifies the version of the TPM that is running on the attested device.
-TPMVersion node provides to replies "1" and "2":
--
-
Based on the reply you receive from TPMVersion node:
+- 1 means TPM specification version 1.2 +- 2 means TPM specification version 2.0 + +Based on the reply you receive from TPMVersion node: - If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -1203,278 +1147,194 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer. -If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+Enterprise managers can create an allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison. -If PCR[0] equals an accepted allow list value, then allow access.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action. -If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] equals an accepted allow list value, then allow access. + +If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs. -
If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is not present, or is an accepted allow-listed value, then allow access. + +If SBCPHash is present in DHA-Report, and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment. -If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access. + +If CIPolicy is present and is not an allow-listed value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-If reported BootRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device. -If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version equals an accepted value, then allow access. + +If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-If reported OSRevListInfo version equals an accepted value, then allow access.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device. -If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version equals an accepted value, then allow access. + +If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies: - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation. -### **Device HealthAttestation CSP status and error codes** +In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute. -| Error code | -Error name | -Description | -
|---|---|---|
| 0 | -HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED | -This is the initial state for devices that have never participated in a DHA-Session. | -
| 1 | -HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED | -This state signifies that MDM client's Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. | -
| 2 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED | -This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. | -
| 3 | -HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE | -This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. | -
| 4 | -HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL | -Deprecated in Windows 10, version 1607. | -
| 5 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL | -DHA-CSP failed to get a claim quote. | -
| 6 | -HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY | -DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. | -
| 7 | -HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL | -DHA-CSP failed in retrieving Windows AIK | -
| 8 | -HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL | -Deprecated in Windows 10, version 1607. | -
| 9 | -HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION | -Invalid TPM version (TPM version is not 1.2 or 2.0) | -
| 10 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL | -Nonce was not found in the registry. | -
| 11 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL | -Correlation ID was not found in the registry. | -
| 12 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL | -Deprecated in Windows 10, version 1607. | -
| 13 | -HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL | -Deprecated in Windows 10, version 1607. | -
| 14 | -HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL | -Failure in Encoding functions. (Extremely unlikely scenario) | -
| 15 | -HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL | -Deprecated in Windows 10, version 1607. | -
| 16 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML | -DHA-CSP failed to load the payload it received from DHA-Service | -
| 17 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML | -DHA-CSP received a corrupted response from DHA-Service. | -
| 18 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML | -DHA-CSP received an empty response from DHA-Service. | -
| 19 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK | -DHA-CSP failed in decrypting the AES key from the EK challenge. | -
| 20 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK | -DHA-CSP failed in decrypting the health cert with the AES key. | -
| 21 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB | -DHA-CSP failed in exporting the AIK Public Key. | -
| 22 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY | -DHA-CSP failed in trying to create a claim with AIK attestation data. | -
| 23 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB | -DHA-CSP failed in appending the AIK Pub to the request blob. | -
| 24 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT | -DHA-CSP failed in appending the AIK Cert to the request blob. | -
| 25 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE | -DHA-CSP failed to obtain a Session handle. | -
| 26 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE | -DHA-CSP failed to connect to the DHA-Service. | -
| 27 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE | -DHA-CSP failed to create an HTTP request handle. | -
| 28 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION | -DHA-CSP failed to set options. | -
| 29 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS | -DHA-CSP failed to add request headers. | -
| 30 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST | -DHA-CSP failed to send the HTTP request. | -
| 31 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE | -DHA-CSP failed to receive a response from the DHA-Service. | -
| 32 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS | -DHA-CSP failed to query headers when trying to get HTTP status code. | -
| 33 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE | -DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. | -
| 34 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE | -DHA-CSP received an empty response along with an HTTP error code from DHA-Service. | -
| 35 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER | -DHA-CSP failed to impersonate user. | -
| 36 | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR | -DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. | -
| 0xFFFF | -HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN | -DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. | -
| 400 | -Bad_Request_From_Client | -DHA-CSP has received a bad (malformed) attestation request. | -
| 404 | -Endpoint_Not_Reachable | -DHA-Service is not reachable by DHA-CSP | -
| Value | -Description | -
|---|---|
ENTITLEMENT_SUCCESS |
-The device is allowed to connect to the server. |
-
ENTITLEMENT_FAILED |
-The device is not allowed to connect to the server |
-
ENTITLEMENT_UNAVAILABLE |
-The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement. |
-
| Update channel | -Primary purpose | -LOB Tattoo availability | -Default update channel for the products | -
|---|---|---|---|
| Current channel | -Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. | -March 9 2017 | -Visio Pro for Office 365 -Project Desktop Client -Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.) |
-
| Deferred channel | -Provide users with new features of Office only a few times a year. | -October 10 2017 | -Microsoft 365 Apps for enterprise | -
| First release for Deferred channel | -Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. | -June 13 2017 | -- |
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| +|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| +|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index f2da07d4e2..6baab87be6 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -34,26 +34,12 @@ For additional information about Store for Business, see the TechNet topics in [ The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. -
Application data |
-The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. |
-
Licensing models |
-Offline vs. Online -Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. -Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. |
-
| Namespace | -Subcode | -Error | -Description | -HRESULT | -
|---|---|---|---|---|
s: |
-MessageFormat |
-MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
-Invalid message from the Mobile Device Management (MDM) server. |
-80180001 |
-
s: |
-Authentication |
-MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
-The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. |
-80180002 |
-
s: |
-Authorization |
-MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
-The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. |
-80180003 |
-
s: |
-CertificateRequest |
-MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR |
-The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. |
-80180004 |
-
s: |
-EnrollmentServer |
-MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
-The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | -80180005 |
-
a: |
-InternalServiceFault |
-MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
-There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. |
-80180006 |
-
a: |
-InvalidSecurity |
-MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
-The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. |
-80180007 |
-
| Subcode | -Error | -Description | -HRESULT | -
|---|---|---|---|
DeviceCapReached |
-MENROLL_E_DEVICECAPREACHED |
-The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. |
-80180013 |
-
DeviceNotSupported |
-MENROLL_E_DEVICENOTSUPPORTED |
-The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. |
-80180014 |
-
NotSupported |
-MENROLL_E_NOT_SUPPORTED |
-Mobile Device Management (MDM) is generally not supported for this device. |
-80180015 |
-
NotEligibleToRenew |
-MENROLL_E_NOTELIGIBLETORENEW |
-The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. |
-80180016 |
-
InMaintenance |
-MENROLL_E_INMAINTENANCE |
-The Mobile Device Management (MDM) server states your account is in maintenance, try again later. |
-80180017 |
-
UserLicense |
-MENROLL_E_USER_LICENSE |
-There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. |
-80180018 |
-
InvalidEnrollmentData |
-MENROLL_E_ENROLLMENTDATAINVALID |
-The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. |
-80180019 |
-
| ADDRTYPE Value | -Connection Type | -
|---|---|
E164 |
-RAS connections |
-
APN |
-GPRS connections |
-
ALPHA |
-Wi-Fi-based connections |
-
| Elements | -Available | -
|---|---|
Parm-query |
-Yes -Note that some GPRS parameters will not necessarily contain the exact same value as was set. |
-
Noparm |
-Yes |
-
Nocharacteristic |
-Yes |
-
Characteristic-query |
-Yes |
-
Note that some GPRS parameters will not necessarily contain the exact same value as was set.| +|Noparm|Yes| +|Nocharacteristic|Yes| +|Characteristic-query|Yes| +## Related articles [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 7516e3c411..280b16b2cf 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -18,10 +18,11 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien This CSP was added in Windows 10, version 1703. -For additional information, see [Office DDF](office-ddf.md). +For more information, see [Office DDF](office-ddf.md). The following shows the Office configuration service provider in tree format. -``` + +```console ./Vendor/MSFT Office ----Installation @@ -46,6 +47,7 @@ Office ------------Install ------------Status ``` + **./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** The root node for the Office configuration service provider. @@ -78,7 +80,7 @@ Behavior: - When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. - When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: - When status = 0: 70 (succeeded) - - When status != 0: 60 (failed) + - When status!= 0: 60 (failed) **Installation/CurrentStatus** Returns an XML of current Office 365 installation status on the device. @@ -151,140 +153,22 @@ To get the current status of Office 365 on the device. ## Status code -
| Status | -Description | -Comment | -
|---|---|---|
| 0 | -Installation succeeded | -OK | -
| 997 | -Installation in progress | -- |
| 13 | -ERROR_INVALID_DATA
- Cannot verify signature of the downloaded Office Deployment Tool (ODT) |
-Failure | -
| 1460 | -ERROR_TIMEOUT
- Failed to download ODT |
-Failure | -
| 1602 | -ERROR_INSTALL_USEREXIT
- User cancelled the installation |
-Failure | -
| 1603 | -ERROR_INSTALL_FAILURE
- Failed any pre-req check. -
|
-Failure | -
| 17000 | -ERROR_PROCESSPOOL_INITIALIZATION
- Failed to start C2RClient |
-Failure | -
| 17001 | -ERROR_QUEUE_SCENARIO
- Failed to queue installation scenario in C2RClient |
-Failure | -
| 17002 | -ERROR_COMPLETING_SCENARIO
- Failed to complete the process. Possible reasons: -
|
-Failure | -
| 17003 | -ERROR_ANOTHER_RUNNING_SCENARIO
- Another scenario is running |
-Failure | -
| 17004 | -ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
- Possible reasons: -
|
-Failure | -
| 17005 | -ERROR_SCENARIO_CANCELLED_AS_PLANNED | -Failure | -
| 17006 | -ERROR_SCENARIO_CANCELLED
- Blocked update by running apps |
-Failure | -
| 17007 | -ERROR_REMOVE_INSTALLATION_NEEDED
- The client is requesting client clean up in a "Remove Installation" scenario |
-Failure | -
| 17100 | -ERROR_HANDLING_COMMAND_LINE
- C2RClient command line error |
-Failure | -
| 0x80004005 | -E_FAIL
- ODT cannot be used to install Volume license |
-Failure | -
| 0x8000ffff | -E_UNEXPECTED
- Tried to uninstall when there is no C2R Office on the machine. |
-Failure | -
Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure| +|1460|ERROR_TIMEOUT
Failed to download ODT|Failure| +|1602|ERROR_INSTALL_USEREXIT
User canceled the installation|Failure| +|1603|ERROR_INSTALL_FAILURE
Failed any pre-req check.