deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into trudyha-loc-tagging

Browse Source
This commit is contained in:
Trudy Hakala 2016-07-18 16:02:23 -07:00
commit 2465c74107
59 changed files with 1568 additions and 503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface/TOC.md
View File

@ -2,6 +2,7 @@
## [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md)
## [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)
## [Deploy Surface app with Windows Store for Business](deploy-surface-app-with-windows-store-for-business.md)
## [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
## [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
## [Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)
## [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)
@ -16,4 +17,5 @@
## [Surface Enterprise Management Mode](surface-enterprise-management-mode.md)
### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
## [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

759
devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md Normal file
View File

@ -0,0 +1,759 @@
---
title: Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit (Surface)
description: Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.
keywords: windows 10 surface, automate, customize, mdt
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
author: Scottmca
---
# Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 4
* Surface Book
* Surface 3
* Windows 10
This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app. When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies.
By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organizations requirements.
An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md).
The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out.
By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence.
## Deployment tools
The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/windows.aspx).
#### Microsoft Deployment Toolkit
The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*.
You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/windows/dn475741).
#### Windows Assessment and Deployment Kit
Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data.
You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk).
#### Windows 10 installation media
Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
>**Note:**  The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
#### Windows Server
Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later.
>**Note:**  To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
#### Windows Deployment Services
Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock.
#### Hyper-V virtualization platform
The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers especially complex drivers that include application components like control panel applications you ensure that the image created by your reference image process will be as universally compatible as possible.
>**Note:**  A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment.
Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates).
>**Note:**  Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
#### Surface firmware and drivers
For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
When you browse to the specific Microsoft Download Center page for your device, you will notice that there are two files available for download. One file is a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. The other file is an archive (.zip) file. This file contains the individual driver files that are used during deployment, or for manual installation with Device Manager. The file that you will need to download is the .zip archive file. You can read more about the difference between the firmware and driver pack file types at [Manage Surface driver and firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-pro-3-firmware-updates).
In addition to the driver files that help Windows communicate with the hardware components of the Surface device, the .zip file you download will also contain firmware updates. These firmware updates will update the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. The firmware of an out-of-date Surface device is thus updated when the device reboots during and after the Windows deployment process.
>**Note:**  Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices.
#### Application installation files
In addition to the drivers that are used by Windows to communicate with the Surface devices hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line.
>**Note:**  If the application files for your application are stored on your organizations network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article.
#### Microsoft Surface Deployment Accelerator
If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/en-us/download/details.aspx?id=46703) page in the Microsoft Download Center.
### Install the deployment tools
Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process.
To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment.
>**Note:**  To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**.
#### Install Windows Deployment Services
Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services.
![Install the Windows Deployment Services role](images\surface-deploymdt-fig1.png "Install the Windows Deployment Services role")
*Figure 1. Install the Windows Deployment Services server role*
After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your servers name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2.
![Configure PXE response for Windows Deployment Services](images\surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services")
*Figure 2. Configure PXE response for Windows Deployment Services*
>**Note:**  Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration.
Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console.
>**Note:**  You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role.
#### Install Windows Assessment and Deployment Kit
To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows.
>**Note:**  You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices.
When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3.
![Required options for deployment with MDT](images\surface-deploymdt-fig3.png "Required options for deployment with MDT")
*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT*
#### Install Microsoft Deployment Toolkit
After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4.
![MDT installation with default options](images/surface-deploymdt-fig4.png "MDT installation with default options")
*Figure 4. Install the Microsoft Deployment Toolkit with default options*
Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench. Please install PowerShell then relaunch Deployment Workbench."*
To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator:
`Set-ExecutionPolicy RemoteSigned -Scope CurrentUser`
## Create a reference image
Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings.
### Create a deployment share
Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation.
To create the deployment share, follow these steps:
1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5.
![The MDT Deployment Workbench](images\surface-deploymdt-fig5.png "The MDT Deployment Workbench")
*Figure 5. The MDT Deployment Workbench*
2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6.
![Summary page of the New Deployment Share Wizard](images\surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard")
*Figure 6. The Summary page of the New Deployment Share Wizard*
3. Create a new deployment share with New Deployment Share Wizard with the following steps:
* **Path** Specify a local folder where the deployment share will reside, and then click **Next**.
>**Note:**  Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
* **Share** Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
>**Note:**  The share name cannot contain spaces.
>**Note:**  You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
* **Descriptive Name** Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
* **Options** You can accept the default options on this page. Click **Next**.
* **Summary** Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
* **Progress** While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
* **Confirmation** When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share.
5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored.
To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media.
>**Note:**  If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share.
You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices.
### Import Windows installation files
The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC).
>**Note:**  A 64-bit operating system is required for compatibility with Surface Pro 4, Surface Book, Surface Pro 3, and Surface 3.
To import Windows 10 installation files, follow these steps:
1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7.
![Create a new folder on the New Folder page](images\surface-deploymdt-fig7.png "Create a new folder on the New Folder page")
*Figure 7. Create a new folder on the New Folder page*
2. On the **New Folder** page a series of steps is displayed, as follows:
* **General Settings** Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
* **Summary** Review the specified configuration of the new folder on this page, and then click **Next**.
* **Progress** A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
* **Confirmation** When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
3. Expand the Operating Systems folder to see the newly created folder.
4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8.
![Import source files with the Import Operating System Wizard](images\surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard")
*Figure 8. Import source files with the Import Operating System Wizard*
5. The Import Operating System Wizard walks you through the import of your operating system files, as follows:
* **OS Type** Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
* **Source** Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
* **Destination** Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
* **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
* **Progress** While the installation files are imported, a progress bar is displayed on this page.
* **Confirmation** When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
Now that youve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications.
### Create reference image task sequence
As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process.
>**Note:**  For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications.
To create the reference image task sequence, follow these steps:
1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9.
![Create new task sequence to deploy and update a Windows 10 reference environment](images\surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment")
*Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment*
2. The New Task Sequence Wizard presents a series of steps, as follows:
* **General Settings** Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
>**Note:**  The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
* **Select Template** Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
* **Select OS** Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
* **Specify Product Key** Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
* **OS Settings** Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
* **Admin Password** Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
>**Note:**  During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
* **Summary** Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
* **Progress** While the task sequence is created, a progress bar is displayed on this page.
* **Confirmation** When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
2. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
3. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
![Enable Windows Update in the reference image task sequence](images\surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence")
*Figure 10. Enable Windows Update in the reference image task sequence*
4. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
5. Click the **Options** tab, and then clear the **Disable This Step** check box.
6. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
7. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
### Generate and import MDT boot media
To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections.
To update the MDT boot media, follow these steps:
1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11.
![Generate boot images with the Update Deployment Share Wizard](images\surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard")
*Figure 11. Generate boot images with the Update Deployment Share Wizard*
2. Use the Update Deployment Share Wizard to create boot images with the following process:
* **Options** Click **Completely Regenerate the Boot Images**, and then click **Next**.
>**Note:**  Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
* **Summary** Review the specified options on this page before you click **Next** to begin generation of boot images.
* **Progress** While the boot images are being generated, a progress bar is displayed on this page.
* **Confirmation** When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12:
* **LiteTouchPE_x86.iso**
* **LiteTouchPE_x86.wim**
* **LiteTouchPE_x64.iso**
* **LiteTouchPE_x64.wim**
![Boot images in the Boot folder after Update Deployment Share Wizard completes](images\surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes")
*Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard*
To import the MDT boot media into WDS for PXE boot, follow these steps:
1. Open Windows Deployment Services from the Start menu or Start screen.
2. Expand **Servers** and your deployment server.
3. Click the **Boot Images** folder, as shown in Figure 13.
![Start the Add Image Wizard from the Boot Images folder](images\surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder")
*Figure 13. Start the Add Image Wizard from the Boot Images folder*
4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14.
![Import the LiteTouchPE_x86.wim MDT boot image](images\surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image")
*Figure 14. Import the LiteTouchPE_x86.wim MDT boot image*
5. The Add Image Wizard displays a series of steps, as follows:
* **Image File** Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
* **Image Metadata** Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
* **Summary** Review your selections to import a boot image into WDS, and then click **Next**.
* **Task Progress** A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
>**Note:**  Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE).
>**Note:**  If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351).
### Deploy and capture a reference image
Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates.
>**Note:**&nbsp;&nbsp;You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.<br/><br/>
By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10.
You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following:
* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices.
* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766).
* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP.
* Configure your boot order such that PXE Boot is the first option.
When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server.
Perform the reference image deployment and capture using the following steps:
1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
![Start network boot by pressing the F12 key](images\surface-deploymdt-fig15.png "Start network boot by pressing the F12 key")
*Figure 15. Start network boot by pressing the F12 key*
2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process.
3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
5. The Windows Deployment Wizard displays a series of steps, as follows:
* **Task Sequence** Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
* **Computer Details** Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
* **Move Data and Settings** Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
* **User Data (Restore)** Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
* **Locale and Time** Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
* **Capture Image** Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
![Capture an image of the reference machine](images\surface-deploymdt-fig16.png "Capture an image of the reference machine")
*Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
* **Ready** You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
6. Your reference task sequence will run with the specified options.
As the task sequence processes the deployment, it will automatically perform the following tasks:
* Install the Windows 10 image from the installation files you supplied
* Reboot into Windows 10
* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date
* Run Sysprep and prepare the Windows 10 environment for deployment
* Reboot into WinPE
* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share
>**Note:**&nbsp;&nbsp;The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment.
When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices.
## Deploy Windows 10 to Surface devices
With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment.
### Import reference image
After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10.
To import the reference image for deployment, use the following steps:
1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard.
2. Import the custom image with the Import Operating System Wizard by using the following steps:
* **OS Type** Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
* **Image** Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**.
* **Setup** Click **Setup Files are not Neededf**, and then click **Next**.
* **Destination** Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
* **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
* **Progress** While the image is imported, a progress bar is displayed on this page.
* **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
3. Expand the folder in which you imported the image to verify that the import completed successfully.
>**Note:**&nbsp;&nbsp;You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation.
### Import Surface drivers
Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your devices firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices).
Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05).
To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps:
1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files.
2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17:
* WinPE x86
* WinPE x64
* Windows 10 x64
* Microsoft Corporation
* Surface Pro 4
![Recommended folder structure for drivers](images\surface-deploymdt-fig17.png "Recommended folder structure for drivers")
*Figure 17. The recommended folder structure for drivers*
4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
![Progress page during drivers import](images\surface-deploymdt-fig18.png "Progress page during drivers import")
*Figure 18. The Progress page during drivers import*
5. The Import Driver Wizard displays a series of steps, as follows:
* **Specify Directory** Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
* **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
* **Progress** While the drivers are imported, a progress bar is displayed on this page.
* **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images\surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share")
*Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
### Import applications
You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/en-us/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04).
#### Import Microsoft Office 365 Installer
The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424).
Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organizations needs and use the steps provided by that page to download the Office installation files for use with MDT.
After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps:
1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
2. This action opens the file in Notepad. Replace the existing text with the following:
```
<Configuration>
<Add OfficeClientEdition="32">
<Product ID="O365ProPlusRetail" >
<Language ID="en-us" />
</Product>
</Add>
<Display Level="None" AcceptEULA="TRUE" /> </Configuration>
```
3. Save the file.
The default behavior of Setup.exe is to look for the source files in the path that contains **Setup.exe**. If the installation files are not found in this folder, the Office Deployment Tool will default to online source files from an Internet connection.
For MDT to perform an automated installation of office, it is important to configure the **Display Level** option to a value of **None**. This setting is used to suppress the installation dialog box for silent installation. It is required that the **AcceptEULA** option is set to **True** to accept the license agreement when the **Display Level** option is set to **None**. With both of these options configured, the installation of Office will occur without the display of dialog boxes which could potentially cause the installation to pause until a user can address an open dialog box.
Now that the installation and configuration files are prepared, the application can be imported into the deployment share by following these steps:
1. Open the Deployment Workbench.
2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20.
![Enter the command and directory for Office 2016 Click-to-Run](images\surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run")
*Figure 20. Enter the command and directory for Office 2016 Click-to-Run*
3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows:
* **Application Type** Click **Application with Source Files**, and then click **Next**.
* **Details** Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
* **Source** Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**.
* **Destination** Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
* **Command Details** Enter the Office Deployment Tool installation command line:
`Setup.exe /configure configuration.xml`
* **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
* **Progress** While the installation files are imported, a progress bar is displayed on this page.
* **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench.
#### Import Surface app installer
The Surface app is a Windows Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/en-us/support/apps-and-windows-store/surface-app?os=windows-10).
To perform a deployment of the Surface app, you will need to download the app files through Windows Store for Business. You can find detailed instructions on how to download the Surface app through Windows Store for Business at [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business).
After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app:
```
DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath: Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle /LicensePath: Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml
```
### Create deployment task sequence
The next step in the process is to create the deployment task sequence. This task sequence will be configured to completely automate the deployment process and will work along with customized deployment share rules to reduce the need for user interaction down to a single touch. Before you can make customizations to include all of this automation, the new task sequence has to be created from a template.
To create the deployment task sequence, follow these steps:
1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
* **General Settings** Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
>**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
* **Select Template** Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
* **Select OS** Navigate to and select the reference image that you imported, and then click **Next**.
* **Specify Product Key** Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
* **OS Settings** Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
* **Admin Password** Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
* **Summary** Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
* **Progress** While the task sequence is being created, a progress bar is displayed on this page.
* **Confirmation** When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates.
1. Click the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
2. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
3. Click the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
4. Click the **Options** tab, and then clear the **Disable This Step** check box.
5. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**.
7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21.
![A new Install Application step in the deployment task sequence](images\surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence")
*Figure 21. A new Install Application step in the deployment task sequence*
8. On the **Properties** tab of the new **Install Application** step, enter **Install Microsoft Office 2016 Click-to-Run** in the **Name** field.
9. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
10. Select Office 2016 Click-to-Run from the list of applications, and then click **OK**.
11. Repeat Steps 6 through 10 for the Surface app.
12. Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step.
13. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options:
* **Name** Set DriverGroup001
* **Task Sequence Variable** DriverGroup001
* **Value** Windows 10 x64\%Make%\%Model%
![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence
15. Select the **Inject Drivers** step, the next step in the task sequence.
16. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
* In the **Choose a selection profile** drop-down menu, select **Nothing**.
* Click the **Install all drivers from the selection profile** button.
![Configure deployment task sequence not to choose the drivers to inject into Windows](images\surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows")
*Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows*
17. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
### Configure deployment share rules
The experience of users during a Windows deployment is largely governed by a set of rules that control how the MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run. Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to operate (for example, what screens to show and what questions to ask). By using these the rules stored in these two files, you can completely automate the process of deployment to where you will not be asked to supply the answer to any questions during deployment and the deployment will perform all tasks completely on its own.
#### Configure Bootstrap.ini
Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file is to provide the credentials that will be used to log on to the deployment share and start the Windows Deployment Wizard.
To automate the boot media rules, follow these steps:
1. Right-click your deployment share in the Deployment Workbench, and then click **Properties**.
2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad.
3. Replace the text of the Bootstrap.ini file with the following text:
```
[Settings]
Priority=Model,Default
[Surface Pro 4]
DeployRoot=\\STNDeployServer\DeploymentShare$
UserDomain=STNDeployServer
UserID=MDTUser
UserPassword=P@ssw0rd
SkipBDDWelcome=YES
[Surface Pro 4]
DeployRoot=\\STNDeployServer\DeploymentShare$
```
4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad.
You can use a number of variables in both boot media and deployment share rules to apply rules only when certain conditions are met. For example, you can use MAC addresses to identify specific machines where MDT will run fully automated, but will run with required user interaction on all other devices. You can also use the model of the device to instruct the MDT boot media to perform different actions based on computer model, much as the way **[Surface Pro 4]** is listed in Step 3. You can use the following cmdlet in a PowerShell session to see what the Model variable would be on a device:
```wmic csproduct get name```
Rules used in the text shown in Step 3 include:
* **DeployRoot** Used to specify the deployment share that the MDT boot media will connect to.
* **UserDomain** Used to specify the domain or computer where the MDT user account is located.
* **UserID** Used to specify the MDT user account for automatic logon to the deployment share.
* **UserPassword** Used to specify the MDT user password for automatic logon to the deployment share.
* **SkipBDDWelcome** Used to skip the Welcome page and to start the Windows Deployment Wizard immediately using the specified credentials and deployment share.
#### Configure CustomSettings.ini
The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24.
![Deployment share rules configured for automation of the Windows Deployment Wizard](images\surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard")
*Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard*
To configure automation for the production deployment, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
```
[Settings]
Priority=Model,Default
Properties=MyCustomProperty
[Surface Pro 4]
SkipTaskSequence=YES
TaskSequenceID=Win10SP4
[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipApplications=YES
SkipPackageDisplay=YES
SkipComputerName=YES
SkipDomainMembership=YES
JoinDomain=contoso.com
DomainAdmin=MDT
DomainAdminDomain=contoso
DomainAdminPassword=P@ssw0rd
SkipLocaleSelection=YES
KeyboardLocale=en-US
UserLocale=en-US
UILanguage=en-US
SkipTimeZone=YES
TimeZoneName=Pacific Standard Time
UserID=MDTUser
UserDomain=STNDeployServer
UserPassword=P@ssw0rd
SkipSummary=YES
SkipFinalSummary=YES
FinishAction=LOGOFF
```
Rules used in this example include:
* **SkipTaskSequence** This rule is used to skip the **Task Sequence** page where the user would have to select between available task sequences.
* **TaskSequenceID** This rule is used to instruct the Windows Deployment Wizard to run a specific task sequence. In this scenario the task sequence ID should match the deployment task sequence you created in the previous section.
* **OSInstall** This rule indicates that the Windows Deployment Wizard will be performing an operating system deployment.
* **SkipCapture** This rule prevents the **Capture Image** page from being displayed, prompting the user to create an image of this device after deployment.
* **SkipAdminPassword** This rule prevents the **Admin Password** page from being displayed. The Administrator password specified in the task sequence will still be applied.
* **SkipProductKey** This rule prevents the **Specify Product Key** page from being displayed. The product key specified in the task sequence will still be applied.
* **SkipComputerBackup** This rule prevents the **Move Data and Settings** page from being displayed, where the user is asked if they would like to make a backup of the computer before performing deployment.
* **SkipBitLocker** This rule prevents the **BitLocker** page from being displayed, where the user is asked if BitLocker Drive Encryption should be used to encrypt the device.
* **SkipBDDWelcome** This rule prevents the **Welcome** page from being displayed, where the user is prompted to begin Windows deployment.
* **SkipUserData** This rule prevents the **User Data (Restore)** page from being displayed, where the user is asked to restore previously backed up user data in the new environment.
* **UserDataLocation** This rule prevents the user from being prompted to supply a location on the User Data (Restore) page.
* **SkipApplications** This rule prevents the **Applications** page from being displayed, where the user is prompted to select from available applications to be installed in the new environment.
* **SkipPackageDisplay** This rule prevents the **Packages** page from being displayed, where the user is prompted to select from available packages to be installed in the new environment.
* **SkipComputerName** This rule, when combined with the **SkipDomainMembership** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
* **SkipDomainMembership** This rule, when combined with the **SkipComputerName** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup.
* **JoinDomain** This rule instructs the Windows Deployment Wizard to have the computer join the specified domain using the specified credentials.
* **DomainAdmin** This rule specifies the username for the domain join operation.
* **DomainAdminDomain** This rule specifies the domain for the username for the domain join operation.
* **DomainAdminPassword** This rule specifies the password for the username for the domain join operation.
* **SkipLocaleSelection** This rule, along with the **SkipTimeZone** rule, prevents the **Locale and Time** page from being displayed.
* **KeyboardLocale** This rule is used to specify the keyboard layout for the deployed Windows environment.
* **UserLocale** This rule is used to specify the geographical locale for the deployed Windows environment.
* **UILanguage** This rule is used to specify the language to be used in the deployed Windows environment.
* **SkipTimeZone** This rule, along with the **SkipLocaleSelection** rule, prevents the **Locale and Time** page from being displayed.
* **TimeZoneName** This rule is used to specify the time zone for the deployed Windows environment.
* **UserID** This rule is used to supply the username under which the MDT actions and task sequence steps are performed.
* **UserDomain** This rule is used to supply the domain for the username under which the MDT actions and task sequence steps are performed.
* **UserPassword** This rule is used to supply the password for the username under which the MDT actions and task sequence steps are performed.
* **SkipSummary** This rule prevents the **Summary** page from being displayed before the task sequence is run, where the user is prompted to confirm the selections before beginning the task sequence.
* **SkipFinalSummary** This rule prevents the **Summary** page from being displayed when the task sequence has completed.
* **FinishAction** This rule specifies whether to log out, reboot, or shut down the device after the task sequence has completed.
You can read about all of the possible deployment share and boot media rules in the [Microsoft Deployment Toolkit Reference](https://technet.microsoft.com/library/dn781091).
### Update and import updated MDT boot media
The process to update MDT boot media with these new rules and changes to the deployment share is very similar to the process to generate boot media from scratch.
To update the MDT boot media, follow these steps:
1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard.
2. The Update Deployment Share Wizard displays a series of steps, as follows:
* **Options** Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**.
* **Summary** Review the specified options on this page before you click **Next** to begin the update of boot images.
* **Progress** While the boot images are being updated a progress bar is displayed on this page.
* **Confirmation** When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
To import the updated MDT boot media into WDS for PXE boot, follow these steps:
1. Open Windows Deployment Services from the Start menu or Start screen.
2. Expand **Servers** and your deployment server.
3. Click the **Boot Images** folder.
4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard.
5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard:
* **Image File** Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**.
* **Available Images** Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**.
* **Image Metadata** Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
* **Summary** Review your selections for importing a boot image into WDS, and then click **Next**.
* **Task Progress** A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard.
6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard.
7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows:
* **Image File** Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**.
* **Image Metadata** Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
* **Summary** Review your selections to import a boot image into WDS, and then click **Next**.
* **Task Progress** A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
>**Note:**&nbsp;&nbsp;Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
### Deploy Windows to Surface
With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch.
>**Note:**&nbsp;&nbsp;For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
![Set boot priority for PXE boot](images\surface-deploymdt-fig25.png "Set boot priority for PXE boot")
*Figure 25. Setting boot priority for PXE boot*
On a properly configured Surface device, simply turn on the device and press Enter when you are prompted to boot from the network. The fully automated MDT deployment process will then take over and perform the following tasks:
* The MDT boot media will be loaded to your Surface device via the network
* The MDT boot media will use the provided credentials and rules to connect to the MDT deployment share
* The task sequence and drivers will be automatically selected for your device via make and model information
* The task sequence will deploy your updated Windows 10 image to the device complete with the selected drivers
* The task sequence will join your device to the domain
* The task sequence will install the applications you specified, Microsoft Office and Surface app
* Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office
* The task sequence will complete silently and log out of the device
>**Note:**&nbsp;&nbsp;For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device.
The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date.

BIN
devices/surface/images/surface-deploymdt-fig1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 137 KiB

BIN
devices/surface/images/surface-deploymdt-fig10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
devices/surface/images/surface-deploymdt-fig11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
devices/surface/images/surface-deploymdt-fig12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 127 KiB

BIN
devices/surface/images/surface-deploymdt-fig13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
devices/surface/images/surface-deploymdt-fig14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
devices/surface/images/surface-deploymdt-fig15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
devices/surface/images/surface-deploymdt-fig16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
devices/surface/images/surface-deploymdt-fig17.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
devices/surface/images/surface-deploymdt-fig18.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
devices/surface/images/surface-deploymdt-fig19.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 285 KiB

BIN
devices/surface/images/surface-deploymdt-fig2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
devices/surface/images/surface-deploymdt-fig20.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
devices/surface/images/surface-deploymdt-fig21.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
devices/surface/images/surface-deploymdt-fig22.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
devices/surface/images/surface-deploymdt-fig23.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
devices/surface/images/surface-deploymdt-fig24.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
devices/surface/images/surface-deploymdt-fig25.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
devices/surface/images/surface-deploymdt-fig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 139 KiB

BIN
devices/surface/images/surface-deploymdt-fig4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
devices/surface/images/surface-deploymdt-fig5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 155 KiB

BIN
devices/surface/images/surface-deploymdt-fig6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
devices/surface/images/surface-deploymdt-fig7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
devices/surface/images/surface-deploymdt-fig8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
devices/surface/images/surface-deploymdt-fig9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
devices/surface/images/surface-upgrademdt-fig1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
devices/surface/images/surface-upgrademdt-fig2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

BIN
devices/surface/images/surface-upgrademdt-fig3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
devices/surface/images/surface-upgrademdt-fig4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
devices/surface/images/surface-upgrademdt-fig5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

27
devices/surface/index.md
View File

@ -47,42 +47,46 @@ For more information on planning for, deploying, and managing Surface devices in
<td><p>Find out how to add and download Surface app with Windows Store for Business, as well as install Surface app with PowerShell and MDT.</p></td>
</tr>
<tr class="even">
<td><p>[Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)</p></td>
<td><p>Walk through the recommended process of how to deploy Windows 10 to your Surface devices with the Microsoft Deployment Toolkit.</p></td>
</tr>
<tr class="odd">
<td><p>[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)</p></td>
<td><p>Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices](enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md)</p></td>
<td><p>Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)</p></td>
<td><p>Get guidance and answers to help you perform a network deployment to Surface devices.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)</p></td>
<td><p>Read about the different methods you can use to manage the process of Surface Dock firmware updates.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)</p></td>
<td><p>Explore the available options to manage firmware and driver updates for Surface devices.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Manage Surface UEFI settings](manage-surface-uefi-settings.md)<p></td>
<td><p>Use Surface UEFI settings to enable or disable devices, configure security settings, and adjust Surface device boot settings.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Surface Data Eraser](microsoft-surface-data-eraser.md)</p></td>
<td><p>Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)</p></td>
<td><p>See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>[Surface Diagnostic Toolkit](surface-diagnostic-toolkit.md)</p></td>
<td><p>Find out how you can use the Microsoft Surface Diagnostic Toolkit to test the hardware of your Surface device.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>[Surface Dock Updater](surface-dock-updater.md)</p></td>
<td><p>Get a detailed walkthrough of Microsoft Surface Dock Updater.</p></td>
</tr>
@ -91,6 +95,11 @@ For more information on planning for, deploying, and managing Surface devices in
<td><p>See how this feature of Surface devices with Surface UEFI allows you to secure and manage firmware settings within your organization.
</p></td>
</tr>
<tr class="even">
<td><p>[Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)</p></td>
<td><p>Find out how to perform a Windows 10 upgrade deployment to your Surface devices.</p></td>
</tr>
</tbody>
</table>

226
devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md Normal file
View File

@ -0,0 +1,226 @@
---
title: Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit (Surface)
description: Find out how to perform a Windows 10 upgrade deployment to your Surface devices.
keywords: windows 10 surface, upgrade, customize, mdt
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface
ms.sitesec: library
author: Scottmca
---
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
#### Applies to
* Surface Pro 3
* Surface 3
* Surface Pro 2
* Surface Pro
* Windows 10
In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices.
If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed.
#### The upgrade concept
When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths *clean installation* allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths *upgrade* allows you to apply Windows to the device but retains the devices users, apps, and settings.
When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications.
For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed.
Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device.
## Deployment tools and resources
Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured:
* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/en-us/windows/dn475741)
* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes:
* Deployment Image Servicing and Management (DISM)
* Windows Preinstallation Environment (Windows PE)
* Windows System Image Manager (Windows SIM)
You will also need to have available the following resources:
* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
>**Note:**&nbsp;&nbsp;Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
* Application installation files for any applications you want to install, such as the Surface app
## Prepare the upgrade deployment
Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article.
### Import Windows 10 installation files
Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article.
### Import Surface drivers
In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps:
1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/en-US/download/details.aspx?id=38826) in the Microsoft Download Center.
2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share.
4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
* WinPE x86
* WinPE x64
* Windows 10 x64
* Microsoft Corporation
* Surface Pro 4
* Surface Pro 3
5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
![Import Surface Pro 3 drivers for Windows 10](images\surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10")
*Figure 1. Import Surface Pro 3 drivers for Windows 10*
6. The Import Driver Wizard displays a series of steps, as follows:
- **Specify Directory** Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
- **Summary** Review the specified configuration on this page before you click **Next** to begin the import process.
- **Progress** While the drivers are imported, a progress bar is displayed on this page.
- **Confirmation** When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images\surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share")
*Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
### Import applications
Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.)
There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Windows Store for Business](https://technet.microsoft.com/en-us/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence.
### Create the upgrade task sequence
After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified.
Create the upgrade task sequence with the following process:
1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
- **General Settings** Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
>**Note:**&nbsp;&nbsp;The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
- **Select Template** Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
- **Select OS** Navigate to and select the Windows image that you imported, and then click **Next**.
- **Specify Product Key** Select the product key entry that fits your organizations licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
- **OS Settings** Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
- **Admin Password** Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
- **Summary** Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
- **Progress** While the task sequence is being created, a progress bar is displayed on this page.
- **Confirmation** When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence.
3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder.
4. Click the **Options** tab, and then clear the **Disable This Step** check box.
5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step.
6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
![A new Install Application step in the deployment task sequence](images\surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence")
*Figure 3. A new Install Application step in the deployment task sequence*
8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
10. Select **Surface App** from the list of applications, and then click **OK**.
11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step.
12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
- **Name** Set DriverGroup001
- **Task Sequence Variable** DriverGroup001
- **Value** Windows 10 x64\%Make%\%Model%
![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
*Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
14. Select the **Inject Drivers** step, the next step in the task sequence.
15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
* In the **Choose a selection profile** drop-down menu, select **Nothing**.
* Click the **Install all drivers from the selection profile** button.
![Configure the deployment task sequence to not install drivers](images\surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers")
*Figure 5. Configure the deployment task sequence to not install drivers*
16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section.
### Deployment share rules
To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE.
To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties:
```
[Settings]
Priority=Model,Default
Properties=MyCustomProperty
[Surface Pro 4]
SkipTaskSequence=YES
TaskSequenceID=Win10SP4
[Surface Pro 3]
SkipTaskSequence=YES
TaskSequenceID=Win10SP3Up
[Default]
OSInstall=Y
SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipApplications=YES
SkipPackageDisplay=YES
SkipComputerName=YES
SkipDomainMembership=YES
JoinDomain=contoso.com
DomainAdmin=MDT
DomainAdminDomain=contoso
DomainAdminPassword=P@ssw0rd
SkipLocaleSelection=YES
KeyboardLocale=en-US
UserLocale=en-US
UILanguage=en-US
SkipTimeZone=YES
TimeZoneName=Pacific Standard Time
UserID=MDTUser
UserDomain=STNDeployServer
UserPassword=P@ssw0rd
SkipSummary=YES
SkipFinalSummary=YES
FinishAction=LOGOFF
```
For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article.
### Update deployment share
To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps.
### Run the upgrade deployment
Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps:
1. Browse to the network location of your deployment share in File Explorer.
2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard.
3. Enter your credentials when prompted.
4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules.
5. The upgrade process will occur automatically and without user interaction.
The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device.

31
windows/deploy/windows-10-upgrade-paths.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 upgrade paths (Windows 10)
description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -31,7 +31,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td>Windows 10 Home</td>
<td>Windows 10 Pro</td>
<td>Windows 10 Pro for Education</td>
<td>Windows 10 Education</td>
<td>Windows 10 Enterprise</td>
<td>Windows 10 Mobile</td>
@ -45,7 +44,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -55,7 +53,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -65,7 +62,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -76,7 +72,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -86,7 +81,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -94,7 +88,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -108,7 +101,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -119,7 +111,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -129,7 +120,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -137,7 +127,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -148,7 +137,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -161,7 +149,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8</td>
@ -171,7 +158,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="10" nowrap="nowrap">Windows 8.1</td>
@ -181,7 +167,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -191,7 +176,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -202,7 +186,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -212,7 +195,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -222,7 +204,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -230,7 +211,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -241,7 +221,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -254,7 +233,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8.1</td>
@ -262,7 +240,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -274,7 +251,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -285,7 +261,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -293,7 +268,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Education</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td></td>
@ -303,7 +277,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -315,7 +288,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -325,7 +297,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td></td>
</tr>

7
windows/keep-secure/TOC.md
View File

@ -690,9 +690,12 @@
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)

47
windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
View File

@ -1,47 +0,0 @@
---
title: Additional Windows Defender ATP configuration settings
description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: mjcaparas
---
# Additional Windows Defender ATP configuration settings
**Applies to**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
## Configure sample collection settings with Group Policy
1. On your GP management machine, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
4. Click **Policies**, then **Administrative templates**.
5. Click **Windows components** and then **Windows Advanced Threat Protection**.
6. Choose to enable or disable sample sharing from your endpoints.
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

2
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -17,8 +17,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|New or changed topic | Description |
|----------------------|-------------|
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |

111
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Configure Windows Defender ATP endpoints using Group Policy
description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using Group Policy
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
> **Note**&nbsp;&nbsp;To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
### Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
## Additional Windows Defender ATP configuration settings
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
4. Click **Policies**, then **Administrative templates**.
5. Click **Windows components** and then **Windows Advanced Threat Protection**.
6. Choose to enable or disable sample sharing from your endpoints.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
## Monitor endpoint configuration
With Group Policy there isnt an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor endpoints using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines view**.
3. Verify that endpoints are appearing.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

92
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,92 @@
---
title: Configure Windows Defender ATP endpoints using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using Mobile Device Management tools
**Applies to:**
- Windows 10 Insider Preview Build 14379 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> **Note**&nbsp;&nbsp;Policies **Health Status for onboarded machines** use read-only properties and can't be remediated.
### Offboard and monitor endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
- Health Status for offboarded machines
- Configuration for offboarded machines
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> **Note**&nbsp;&nbsp;Policies **Health Status for offboarded machines** use read-only properties and can't be remediated.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

94
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Configure Windows Defender ATP endpoints using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using System Center Configuration Manager
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager.
### Onboard endpoints
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Monitor endpoint configuration
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:**
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

69
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Configure Windows Defender ATP endpoints using a local script
description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using a local script
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
## Offboard endpoints using a local script
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
5. Press the **Enter** key or click **OK**.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

144
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -24,140 +24,14 @@ Endpoints in your organization must be configured so that the Windows Defender A
Windows Defender ATP supports the following deployment tools and methods:
- Group Policy
- System Center Configuration Manager (current branch) version 1606
- System Center 2012 Configuration manager or later versions
- Mobile Device Management
- Microsoft Intune
- System Center Configuration Manager
- Mobile Device Management (including Microsoft Intune)
- Local script
## Configure endpoints with Group Policy
> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
## Configure endpoints with System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
## Configure endpoints with System Center 2012 Configuration Manager or later versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier.
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
## Configure endpoints with Mobile Device Management tools
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
## Configure endpoints with Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
These policies are categorized into two groups:
- Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
- Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
- Health Status for offboarded machines
- Configuration for offboarded machines
> **Warning**&nbsp;&nbsp;These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions.
Policy | OMA-URI | Type | Description | Value
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1 <br> Default value: 1
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0
> **Note**&nbsp;&nbsp;Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated.
## Configure endpoints individually with a local script
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
## Related topics
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
## In this section
Topic | Description
:---|:---
[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.

3
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -179,8 +179,5 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

20
windows/keep-secure/create-edp-policy-using-sccm.md
View File

@ -15,14 +15,14 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- System Center Configuration Manager Technical Preview version 1605 or later
- System Center Configuration Manager (version 1605 Tech Preview or later)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
>**Important**<br>
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using Configuration Manager Technical Preview version 1605 or later. Editing an EDP policy created in version 1511 or 1602 is not supported in the Technical Preview version 1605 or later. There is no migration path between EDP policies across these versions.
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@ -64,14 +64,14 @@ During the policy-creation process in System Center Configuration Manager, you c
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
>**Important**<br>
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App Rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -153,7 +153,7 @@ If you don't know the publisher or product name, you can find them for both desk
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -293,7 +293,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
**To import your Applocker policy file app rule using 1System Center Configuration Manager**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -318,7 +318,7 @@ If you're running into compatibility issues where your app is incompatible with
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -409,12 +409,12 @@ There are no default locations included with EDP, you must add each of your netw
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
<td>Enterprise IPv4 Range (Required)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>

3
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -242,9 +242,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

6
windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
View File

@ -27,11 +27,11 @@ The following table lists security threats and describes the corresponding Devic
| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
| --------------------------------- | ----------------------------------------------------------- |
| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:&nbsp;&nbsp;Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:&nbsp;&nbsp;With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
| **Exposure to boot kits** or to other forms of malware that runs early in the boot process, or in kernel after startup | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md).

2
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -121,7 +121,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.

66
windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -1,66 +0,0 @@
---
title: Monitor Windows Defender ATP onboarding
description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Monitor Windows Defender Advanced Threat Protection onboarding
**Applies to:**
- Windows 10 Insider Preview Build 14322 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
## Monitor with the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines view**.
3. Verify that endpoints are appearing.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Monitor with System Center Configuration Manager
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:**
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

12
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -21,21 +21,9 @@ author: iaanw
You need to onboard to Windows Defender ATP before you can use the service.
<!--There are two stages to onboarding:
1. Set up user access in AAD and use a wizard to create a dedicated
cloud instance for your network (known as “service onboarding”).
2. Add endpoints to the service with System Center Configuration Manager, scheduled GP updates, or manual
registry changes.-->
<!--[Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md) | Learn about managing user access to the Windows Defender ATP portal by assigning users to the Windows Defender ATP service application in Azure Active Directory (AAD).-->
## In this section
Topic | Description
:---|:---
[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.

16
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -17,7 +17,7 @@ This article describes the following:
- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
- [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
- [Device Guard requirements for additional protections](#device-guard-requirements-for-additional-protections)
- [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
@ -34,9 +34,11 @@ You can deploy Device Guard in phases, and plan these phases in relation to the
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features.
<!-- POTENTIAL FUTURE ADDITION--PUT RIGHT AFTER PREVIOUS SENTENCE: The tables describe baseline protections, plus additional protections associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. -->
<!-- POTENTIAL FUTURE ADDITION--PUT RIGHT AFTER PREVIOUS SENTENCE: The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. -->
> **Note**&nbsp;&nbsp;For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
> **Notes**
> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
## Device Guard requirements for baseline protections
@ -51,15 +53,15 @@ The following tables provide more information about the hardware, firmware, and
<!-- When additional tables are added, change "The following table lists" to "The following tables list" in the Important just below. -->
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following table lists requirements for additional protections. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support additional protections.
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
## Device Guard requirements for additional protections
## Device Guard requirements for improved security
The following tables describes additional hardware and firmware requirements, and the additional protections that are available when those requirements are met. We strongly recommend the following additional protections, which help you maximize the benefits that Device Guard can provide.
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511)
|Additional Protections - requirement | Description |
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |

121
windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -1,121 +0,0 @@
---
title: Windows Defender ATP service onboarding
description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Windows Defender ATP service onboarding
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Azure Active Directory
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
**Manage user access to the Windows Defender ATP portal**:
1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
have users assigned to the Windows ATP Service application, you will
be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
> **Note**&nbsp;&nbsp;In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
2. Ensure you have logged in to Microsoft Azure with an account that
has permissions to assign users to an application in AAD. You might
need to sign out of Microsoft Azure and then sign back in again if
you used a different account to sign in to the Windows Defender ATP
portal:
a. On the top menu, click the signed-in users name.
b. Click **Sign out**.
![Azure sign out](images/azure-signout.png)
c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
![Azure Active Directory menu](images/azure-browse.png)
4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
![Azure organization menu](images/azure-org-directory.png)
b. Scroll down in the navigation pane and click **Active Directory**.
![Azure active directory](images/azure-active-directory.png)
5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
called **Contoso**.
![Azure active directory list](images/azure-active-directory-list.png)
> **Note**&nbsp;&nbsp;You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
6. Click **Applications** from the top menu bar.
![Example organization in Azure Active Directory](images/contoso.png)
7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
![Example selected organization in Azure Active Directory](images/contoso-application.png)
> **Note**&nbsp;&nbsp;The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
![Example windows atp service users](images/windows-atp-service.png)
![Example user assignment to the windows atp service](images/assign-users.png)
> **Note**&nbsp;&nbsp;If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single users account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
9. Select the user you want manage.
10. Click **Assign**.
11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You dont need to do anything with the messages, they will go away after a short period of time.
![Confirmation page to enable access to users](images/confirm-user-access.png)
12. To remove the user's access, click **Remove**.
13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
![Remove menu](images/remove-menu.png)
14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory.
> **Note**&nbsp;&nbsp;If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
> **Note**&nbsp;&nbsp;You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
page.
Follow the steps in the onboarding wizard to complete the onboarding process.
At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Endpoint Management** menu on the portal after you have completed the onboarding wizard.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

4
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -436,8 +436,6 @@ Log in to the application in the Azure Management Portal again:
-->
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)

194
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
@ -17,34 +18,118 @@ author: brianlic-msft
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating systems development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
>**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
To frame a discussion about telemetry, it is important to understand Microsofts privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
We understand that the privacy and security of our customers information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
## Overview
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings &gt; Privacy, Group Policy, or MDM.
Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## Understanding Windows telemetry
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows telemetry?
Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
Here are some specific examples of Windows telemetry data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
### What is NOT telemetry?
Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a users location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the users request.
There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If youre an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The following are specific examples of functional data:
- Current location for weather
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
### Telemetry gives users a voice
Windows and Windows Server telemetry gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Drive higher app and driver quality
Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
<!--
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called Windows 10 Upgrade Analytics, will be available in Summer 2016.
#### Windows 10 Upgrade Analytics
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-->
## How is telemetry data handled by Microsoft?
### Data collection
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
4. The Connected User Experience and Telemetry component transmits the telemetry data.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
@ -56,21 +141,21 @@ All telemetry data is encrypted using SSL and uses certificate pinning during tr
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
The following table defines the endpoints for telemetry services:
The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
| Service | Endpoint |
| - | - |
| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
### Data use and access
Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history.
## Telemetry levels
@ -81,19 +166,19 @@ The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview.
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
> **Note:**  If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@ -103,7 +188,7 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsofts servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
@ -126,11 +211,11 @@ No user content, such as user files or communications, is gathered at the **Secu
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
@ -156,7 +241,7 @@ The data gathered at this level includes:
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
- **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
@ -166,13 +251,13 @@ The data gathered at this level includes:
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The data gathered at this level includes:
@ -202,6 +287,15 @@ However, before more data is gathered, Microsofts privacy governance team, in
- All crash dump types, including heap dumps and full dumps.
## Enterprise management
Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If youre using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users choices. The remainder of this section describes how to do that.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
@ -210,7 +304,7 @@ We do not recommend that you turn off telemetry in your organization as valuable
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**.
### Configure the operating system telemetry level
@ -218,14 +312,13 @@ You can configure your operating system telemetry settings using the management
Use the appropriate value in the table below when you configure the management policy.
| Value | Level | Data gathered |
|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
| **0** | Security | Security data only. |
| **1** | Basic | Security data, and basic system and quality data. |
| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
| Level | Data gathered | Value |
| - | - | - |
| Security | Security data only. | **0** |
| Basic | Security data, and basic system and quality data. | **1** |
| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
 
### Use Group Policy to set the telemetry level
@ -277,19 +370,32 @@ There are a few more settings that you can turn off that may send telemetry info
>**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## Additional resources
## Examples of how Microsoft uses the telemetry data
FAQs
- [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq)
- [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq)
- [Windows 10 camera and privacy](http://windows.microsoft.com/en-us/windows-10/camera-privacy-faq)
- [Windows 10 location service and privacy](http://windows.microsoft.com/en-us/windows-10/location-service-privacy)
- [Microsoft Edge and privacy](http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq)
- [Windows 10 speech, inking, typing, and privacy](http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq)
- [Windows Hello and privacy](http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq)
- [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq)
- [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq)
### Drive higher application and driver quality in the ecosystem
Blogs
Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsofts ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications.
- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
### Reduce your total cost of ownership and downtime
Privacy Statement
Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
- [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement)
### Build features that address our customers needs
TechNet
Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
Web Pages
- [Privacy at Microsoft](http://privacy.microsoft.com)

1
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
LocalizationPriority: High
author: brianlic-msft
---

2
windows/plan/best-practice-recommendations-for-windows-to-go.md
View File

@ -5,7 +5,7 @@ ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86
keywords: best practices, USB, device, boot
ms.prod: w10
ms.mktglfcycl: plan
pagetype: mobility
ms.pagetype: mobility
ms.sitesec: library
author: mtniehaus
---