deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 3720: 10/11 PM Publish

Browse Source
This commit is contained in:
Alma Jenks 2017-10-11 22:30:19 +00:00
commit 2b408ce43a
7 changed files with 573 additions and 571 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

852
windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
View File

File diff suppressed because it is too large Load Diff

2
windows/deployment/upgrade/upgrade-readiness-deployment-script.md
View File

@ -73,7 +73,7 @@ The deployment script displays the following exit codes to let you know if it wa
<div font-size='7pt;'>
<table border='1' cellspacing='0' cellpadding='0'>
<tr>
<td BGCOLOR="#a0e4fa" width=5>Exit code and meaning</td>
<td BGCOLOR="#a0e4fa" width="5">Exit code and meaning</td>
<td BGCOLOR="#a0e4fa">Suggested fix</td>
</tr>
<tr><td>0 - Success</td>

22
windows/deployment/windows-10-poc-mdt.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt
ms.localizationpriority: high
ms.date: 08/23/2017
ms.date: 10/10/2017
author: greg-lindsay
---
@ -37,18 +37,20 @@ This guide provides instructions to install and configure the Microsoft Deployme
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
<br>
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
<table border="1" cellspacing="0" cellpadding="0">
<tr><td BGCOLOR="#a0e4fa"><B>Topic</B><td BGCOLOR="#a0e4fa"><B>Description</B><td BGCOLOR="#a0e4fa"><B>Time</B>
<TR><TD>[About MDT](#about-mdt)<TD>A high-level overview of the Microsoft Deployment Toolkit (MDT).<TD>Informational
<TR><TD>[Install MDT](#install-mdt)<TD>Download and install MDT.<TD>40 minutes
<TR><TD>[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)<TD>A reference image is created to serve as the template for deploying new images.<TD>90 minutes
<TR><TD>[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)<TD>The reference image is deployed in the PoC environment.<TD>60 minutes
<TR><TD>[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)<TD>Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.<TD>60 minutes
<TR><TD>[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)<TD>Back up an existing client computer, then restore this backup to a new computer.<TD>60 minutes
<TR><TD>[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)<TD>Log locations and troubleshooting hints.<TD>Informational
<tr><td>[About MDT](#about-mdt)<td>A high-level overview of the Microsoft Deployment Toolkit (MDT).<td>Informational
<tr><td>[Install MDT](#install-mdt)<td>Download and install MDT.<td>40 minutes
<tr><td>[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)<td>A reference image is created to serve as the template for deploying new images.<td>90 minutes
<tr><td>[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)<td>The reference image is deployed in the PoC environment.<td>60 minutes
<tr><td>[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)<td>Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.<td>60 minutes
<tr><td>[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)<td>Back up an existing client computer, then restore this backup to a new computer.<td>60 minutes
<tr><td>[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)<td>Log locations and troubleshooting hints.<td>Informational
</TABLE>
</div>

174
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: high
ms.date: 08/23/2017
ms.date: 10/10/2017
author: greg-lindsay
---
@ -37,23 +37,25 @@ This guide provides end-to-end instructions to install and configure System Cent
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
<br>
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
<table border="1" cellspacing="0" cellpadding="0">
<tr><td BGCOLOR="#a0e4fa"><b>Topic</b><td BGCOLOR="#a0e4fa"><b>Description</b><td BGCOLOR="#a0e4fa"><b>Time</b>
<TR><TD>[Install prerequisites](#install-prerequisites)<TD>Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.<TD>60 minutes
<TR><TD>[Install System Center Configuration Manager](#install-system-center-configuration-manager)<TD>Download System Center Configuration Manager, configure prerequisites, and install the package.<TD>45 minutes
<TR><TD>[Download MDOP and install DaRT](#download-mdop-and-install-dart)<TD>Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.<TD>15 minutes
<TR><TD>[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)<TD>Prerequisite procedures to support Zero Touch installation.<TD>60 minutes
<TR><TD>[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)<TD>Use the MDT wizard to create the boot image in Configuration Manager.<TD>20 minutes
<TR><TD>[Create a Windows 10 reference image](#create-a-windows-10-reference-image)<TD>This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.<TD>0-60 minutes
<TR><TD>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<TD>Add a Windows 10 operating system image and distribute it.<TD>10 minutes<TR><TD>[Create a task sequence](#create-a-task-sequence)<TD>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<TD>15 minutes
<TR><TD>[Finalize the operating system configuration](#finalize-the-operating-system-configuration)<TD>Enable monitoring, configure rules, and distribute content.<TD>30 minutes
<TR><TD>[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)<TD>Deploy Windows 10 using Configuration Manager deployment packages and task sequences.<TD>60 minutes
<TR><TD>[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)<TD>Replace a client computer with Windows 10 using Configuration Manager.<TD>90 minutes
<TR><TD>[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)<TD>Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT<TD>90 minutes
<tr><td>[Install prerequisites](#install-prerequisites)<td>Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.<td>60 minutes
<tr><td>[Install System Center Configuration Manager](#install-system-center-configuration-manager)<td>Download System Center Configuration Manager, configure prerequisites, and install the package.<td>45 minutes
<tr><td>[Download MDOP and install DaRT](#download-mdop-and-install-dart)<td>Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.<td>15 minutes
<tr><td>[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)<td>Prerequisite procedures to support Zero Touch installation.<td>60 minutes
<tr><td>[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)<td>Use the MDT wizard to create the boot image in Configuration Manager.<td>20 minutes
<tr><td>[Create a Windows 10 reference image](#create-a-windows-10-reference-image)<td>This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.<td>0-60 minutes
<tr><td>[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)<td>Add a Windows 10 operating system image and distribute it.<td>10 minutes<tr><td>[Create a task sequence](#create-a-task-sequence)<td>Create a Configuration Manager task sequence with MDT integration using the MDT wizard<td>15 minutes
<tr><td>[Finalize the operating system configuration](#finalize-the-operating-system-configuration)<td>Enable monitoring, configure rules, and distribute content.<td>30 minutes
<tr><td>[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)<td>Deploy Windows 10 using Configuration Manager deployment packages and task sequences.<td>60 minutes
<tr><td>[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)<td>Replace a client computer with Windows 10 using Configuration Manager.<td>90 minutes
<tr><td>[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)<td>Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT<td>90 minutes
</TABLE>
</table>
</div>
@ -417,12 +419,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
5. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**<BR>
- Share name: **MDTBuildLab$**<BR>
- Deployment share description: **MDT build lab**<BR>
- Options: click **Next** to accept the default<BR>
- Summary: click **Next**<BR>
- Progress: settings will be applied<BR>
- Deployment share path: **C:\MDTBuildLab**<br>
- Share name: **MDTBuildLab$**<br>
- Deployment share description: **MDT build lab**<br>
- Options: click **Next** to accept the default<br>
- Summary: click **Next**<br>
- Progress: settings will be applied<br>
- Confirmation: click **Finish**
6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
@ -432,18 +434,18 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
8. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**<BR>
- Source: **D:\\** <BR>
- Destination: **W10Ent_x64**<BR>
- OS Type: **Full set of source files**<br>
- Source: **D:\\** <br>
- Destination: **W10Ent_x64**<br>
- Summary: click **Next**
- Confirmation: click **Finish**
9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**<BR>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
- Task sequence comments: **Reference Build**<BR>
- Task sequence ID: **REFW10X64-001**<br>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <br>
- Task sequence comments: **Reference Build**<br>
- Template: **Standard Client Task Sequence**
- Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
@ -638,27 +640,27 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**.
5. Configure the **Request State Store** action that was just added with the following settings:<BR>
- Request state storage location to: **Restore state from another computer**<BR>
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.<BR>
- Options tab: Select the **Continue on error** checkbox.<BR>
- Add Condition: **Task Sequence Variable**:<BR>
- Variable: **USMTLOCAL** <BR>
- Condition: **not equals**<BR>
- Value: **True**<BR>
- Click **OK**.<BR>
- Click **Apply**<BR>.
5. Configure the **Request State Store** action that was just added with the following settings:<br>
- Request state storage location to: **Restore state from another computer**<br>
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.<br>
- Options tab: Select the **Continue on error** checkbox.<br>
- Add Condition: **Task Sequence Variable**:<br>
- Variable: **USMTLOCAL** <br>
- Condition: **not equals**<br>
- Value: **True**<br>
- Click **OK**.<br>
- Click **Apply**<br>.
6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**.
7. Configure the **Release State Store** action that was just added with the following settings:<BR>
- Options tab: Select the **Continue on error** checkbox.<BR>
- Add Condition: **Task Sequence Variable**:<BR>
- Variable: **USMTLOCAL** <BR>
- Condition: **not equals**<BR>
- Value: **True**<BR>
- Click **OK**.<BR>
- Click **OK**<BR>.
7. Configure the **Release State Store** action that was just added with the following settings:<br>
- Options tab: Select the **Continue on error** checkbox.<br>
- Add Condition: **Task Sequence Variable**:<br>
- Variable: **USMTLOCAL** <br>
- Condition: **not equals**<br>
- Value: **True**<br>
- Click **OK**.<br>
- Click **OK**<br>.
### Finalize the operating system configuration
@ -668,12 +670,12 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**.
2. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTProduction**<BR>
- Share name: **MDTProduction$**<BR>
- Deployment share description: **MDT Production**<BR>
- Options: click **Next** to accept the default<BR>
- Summary: click **Next**<BR>
- Progress: settings will be applied<BR>
- Deployment share path: **C:\MDTProduction**<br>
- Share name: **MDTProduction$**<br>
- Deployment share description: **MDT Production**<br>
- Options: click **Next** to accept the default<br>
- Summary: click **Next**<br>
- Progress: settings will be applied<br>
- Confirmation: click **Finish**
3. Right-click the **MDT Production** deployment share, and click **Properties**.
@ -724,10 +726,10 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**.
3. On the Deployment Settings page, use the following settings:<BR>
- Purpose: **Available**<BR>
- Make available to the following: **Only media and PXE**<BR>
- Click **Next**.<BR>
3. On the Deployment Settings page, use the following settings:<br>
- Purpose: **Available**<br>
- Make available to the following: **Only media and PXE**<br>
- Click **Next**.<br>
4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
5. Click **Close**.
@ -910,14 +912,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **Install Windows 10 Enterprise x64**<BR>
- General > Limiting collection: **All Systems**<BR>
- Membership Rules > Add Rule: **Direct Rule**<BR>
- The **Create Direct Membership Rule Wizard** opens, click **Next**<BR>
- Search for Resources > Resource class: **System Resource**<BR>
- Search for Resources > Attribute name: **Name**<BR>
- Search for Resources > Value: **%**<BR>
- Select Resources > Value: Select the computername associated with the PC1 VM<BR>
- General > Name: **Install Windows 10 Enterprise x64**<br>
- General > Limiting collection: **All Systems**<br>
- Membership Rules > Add Rule: **Direct Rule**<br>
- The **Create Direct Membership Rule Wizard** opens, click **Next**<br>
- Search for Resources > Resource class: **System Resource**<br>
- Search for Resources > Attribute name: **Name**<br>
- Search for Resources > Value: **%**<br>
- Select Resources > Value: Select the computername associated with the PC1 VM<br>
- Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close)
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
@ -925,14 +927,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**.
5. Use the following settings in the Deploy Sofware wizard:
- General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**<BR>
- Deployment Settings > Purpose: **Available**<BR>
- Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**<BR>
- Scheduling > Click **Next**<BR>
- User Experience > Click **Next**<BR>
- Alerts > Click **Next**<BR>
- Distribution Points > Click **Next**<BR>
- Summary > Click **Next**<BR>
- General > Collection: Click Browse and select **Install Windows 10 Enterprise x64**<br>
- Deployment Settings > Purpose: **Available**<br>
- Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**<br>
- Scheduling > Click **Next**<br>
- User Experience > Click **Next**<br>
- Alerts > Click **Next**<br>
- Distribution Points > Click **Next**<br>
- Summary > Click **Next**<br>
- Verify that the wizard completed successfully and then click **Close**
@ -970,14 +972,14 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
- General > Name: **USMT Backup (Replace)**<BR>
- General > Limiting collection: **All Systems**<BR>
- Membership Rules > Add Rule: **Direct Rule**<BR>
- The **Create Direct Membership Rule Wizard** opens, click **Next**<BR>
- Search for Resources > Resource class: **System Resource**<BR>
- Search for Resources > Attribute name: **Name**<BR>
- Search for Resources > Value: **%**<BR>
- Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).<BR>
- General > Name: **USMT Backup (Replace)**<br>
- General > Limiting collection: **All Systems**<br>
- Membership Rules > Add Rule: **Direct Rule**<br>
- The **Create Direct Membership Rule Wizard** opens, click **Next**<br>
- Search for Resources > Resource class: **System Resource**<br>
- Search for Resources > Attribute name: **Name**<br>
- Search for Resources > Value: **%**<br>
- Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).<br>
- Click **Next** twice and then click **Close** in both windows.
3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed.
@ -985,13 +987,13 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a new deployment
In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings:
- General > Collection: **USMT Backup (Replace)**<BR>
- Deployment Settings > Purpose: **Available**<BR>
- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**<BR>
- Scheduling: Click **Next**<BR>
- User Experience: Click **Next**<BR>
- Alerts: Click **Next**<BR>
- Distribution Points: Click **Next**<BR>
- General > Collection: **USMT Backup (Replace)**<br>
- Deployment Settings > Purpose: **Available**<br>
- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**<br>
- Scheduling: Click **Next**<br>
- User Experience: Click **Next**<br>
- Alerts: Click **Next**<br>
- Distribution Points: Click **Next**<br>
- Click **Next** and then click **Close**.
### Verify the backup

72
windows/deployment/windows-10-poc.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, mdt, sccm
ms.localizationpriority: high
ms.date: 08/23/2017
ms.date: 10/10/2017
author: greg-lindsay
---
@ -42,25 +42,25 @@ After completing the instructions in this guide, you will have a PoC environment
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
<br>
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
<TR><TD>[Hardware and software requirements](#hardware-and-software-requirements)<TD>Prerequisites to complete this guide.<TD>Informational
<TR><TD>[Lab setup](#lab-setup)<TD>A description and diagram of the PoC environment.<TD>Informational
<TR><TD>[Configure the PoC environment](#configure-the-poc-environment)<TD>Parent topic for procedures.<TD>Informational
<TR><TD>[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<TD>Verify that installation of Hyper-V is supported, and install the Hyper-V server role.<TD>10 minutes
<TR><TD>[Download VHD and ISO files](#download-vhd-and-iso-files)<TD>Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.<TD>30 minutes
<TR><TD>[Convert PC to VM](#convert-pc-to-vm)<TD>Convert a physical computer on your network to a VM hosted in Hyper-V.<TD>30 minutes
<TR><TD>[Resize VHD](#resize-vhd)<TD>Increase the storage capacity for one of the Windows Server VMs.<TD>5 minutes
<TR><TD>[Configure Hyper-V](#configure-hyper-v)<TD>Create virtual switches, determine available RAM for virtual machines, and add virtual machines.<TD>15 minutes
<TR><TD>[Configure service and user accounts](#configure-service-and-user-accounts)<TD>Start virtual machines and configure all services and settings.<TD>60 minutes
<TR><TD>[Configure VMs](#configure-vms)<TD>Start virtual machines and configure all services and settings.<TD>60 minutes
<TR><TD>[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)<TD>Verify and troubleshoot network connectivity and services in the PoC environment.<TD>30 minutes
<TR><TD>[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)<TD>Terms used in this guide.<TD>Informational
</TABLE>
<table border="1" cellspacing="0" cellpadding="0">
<tr><TD BGCOLOR="#a0e4fa"><B>Topic</B></td><TD BGCOLOR="#a0e4fa"><B>Description</B></td><TD BGCOLOR="#a0e4fa"><B>Time</B></td></tr>
<tr><td>[Hardware and software requirements](#hardware-and-software-requirements)<td>Prerequisites to complete this guide.<td>Informational
<tr><td>[Lab setup](#lab-setup)<td>A description and diagram of the PoC environment.<td>Informational
<tr><td>[Configure the PoC environment](#configure-the-poc-environment)<td>Parent topic for procedures.<td>Informational
<tr><td>[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)<td>Verify that installation of Hyper-V is supported, and install the Hyper-V server role.<td>10 minutes
<tr><td>[Download VHD and ISO files](#download-vhd-and-iso-files)<td>Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.<td>30 minutes
<tr><td>[Convert PC to VM](#convert-pc-to-vm)<td>Convert a physical computer on your network to a VM hosted in Hyper-V.<td>30 minutes
<tr><td>[Resize VHD](#resize-vhd)<td>Increase the storage capacity for one of the Windows Server VMs.<td>5 minutes
<tr><td>[Configure Hyper-V](#configure-hyper-v)<td>Create virtual switches, determine available RAM for virtual machines, and add virtual machines.<td>15 minutes
<tr><td>[Configure service and user accounts](#configure-service-and-user-accounts)<td>Start virtual machines and configure all services and settings.<td>60 minutes
<tr><td>[Configure VMs](#configure-vms)<td>Start virtual machines and configure all services and settings.<td>60 minutes
<tr><td>[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)<td>Verify and troubleshoot network connectivity and services in the PoC environment.<td>30 minutes
<tr><td>[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)<td>Terms used in this guide.<td>Informational
</table>
</div>
## Hardware and software requirements
@ -74,9 +74,9 @@ Harware requirements are displayed below:
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<table border=1 cellspacing="0" cellpadding="0">
<tr>
<TD></td>
<td></td>
<td BGCOLOR="#a0e4fa">**Computer 1** (required)</td>
<td BGCOLOR="#a0e4fa">**Computer 2** (recommended)</td>
</tr>
@ -230,7 +230,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.
<TABLE BORDER=1>
<TR><TD> ![VHD](images/download_vhd.png) </TD></TR>
<tr><td> ![VHD](images/download_vhd.png) </TD></TR>
</TABLE>
2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
@ -262,7 +262,7 @@ w10-enterprise.iso
>Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network.
<TABLE BORDER=2><TR><TD>
<TABLE BORDER=2><tr><td>
If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
<BR>
<OL>
@ -292,7 +292,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<table border=1 cellspacing="0" cellpadding="0">
<tr>
<td></td>
<td>Architecture</td>
@ -363,7 +363,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<table border=1 cellspacing="0" cellpadding="0">
<tr>
<td>OS</td>
<td>Partition style</td>
@ -1073,18 +1073,18 @@ Use the following procedures to verify that the PoC environment is configured pr
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Term</B><TD BGCOLOR="#a0e4fa"><B>Definition</B>
<TR><TD>GPT<TD>GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
<TR><TD>Hyper-V<TD>Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
<TR><TD>Hyper-V host<TD>The computer where Hyper-V is installed.
<TR><TD>Hyper-V Manager<TD>The user-interface console used to view and configure Hyper-V.
<TR><TD>MBR<TD>Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
<TR><TD>Proof of concept (PoC)<TD>Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
<TR><TD>Shadow copy<TD>A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
<TR><TD>Virtual machine (VM)<TD>A VM is a virtual computer with its own operating system, running on the Hyper-V host.
<TR><TD>Virtual switch<TD>A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
<TR><TD>VM snapshot<TD>A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
<table border="1" cellspacing="0" cellpadding="0">
<tr><TD BGCOLOR="#a0e4fa"><B>Term</B><TD BGCOLOR="#a0e4fa"><B>Definition</B>
<tr><td>GPT<td>GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.
<tr><td>Hyper-V<td>Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.
<tr><td>Hyper-V host<td>The computer where Hyper-V is installed.
<tr><td>Hyper-V Manager<td>The user-interface console used to view and configure Hyper-V.
<tr><td>MBR<td>Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
<tr><td>Proof of concept (PoC)<td>Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
<tr><td>Shadow copy<td>A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
<tr><td>Virtual machine (VM)<td>A VM is a virtual computer with its own operating system, running on the Hyper-V host.
<tr><td>Virtual switch<td>A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
<tr><td>VM snapshot<td>A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.
</TABLE>
</div>

2
windows/device-security/device-guard/deploy-catalog-files-to-support-code-integrity-policies.md
View File

@ -28,7 +28,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
1. Be sure that a code integrity policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a golden computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-golden-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
Package Inspector does not always detect installation files that have been removed from the computer during the installation process. To ensure that these binaries are also trusted, deploy a code integrity policy in audit mode. You can use the code integrity policy that you created and audited in [Create a code integrity policy from a reference computer](deploy-code-integrity-policies-steps.md#create-a-code-integrity-policy-from-a-reference-computer) and [Audit code integrity policies](deploy-code-integrity-policies-steps.md#audit-code-integrity-policies).
> **Note**&nbsp;&nbsp;This process should **not** be performed on a system with an enforced Windows Defender Device Guard policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application.

20
windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
View File

@ -717,11 +717,11 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
> [!Note]
> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
1. Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
1. Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
@ -735,7 +735,7 @@ When code integrity policies are run in audit mode, it allows administrators to
> [!Note]
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
> - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
@ -793,7 +793,7 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
> [!Note]
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## <a href="" id="plug-ins"></a>Use a code integrity policy to control specific plug-ins, add-ins, and modules
@ -823,7 +823,7 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
## Merge code integrity policies
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from reference computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
> [!Note]
> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
@ -873,7 +873,7 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
> [!Note]
> The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
> The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@ -917,7 +917,7 @@ To sign a code integrity policy with SignTool.exe, you need the following compon
- SignTool.exe, found in the Windows SDK (Windows 7 or later)
- The binary format of the code integrity policy that you generated in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section or another code integrity policy that you have created
- The binary format of the code integrity policy that you generated in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section or another code integrity policy that you have created
- An internal CA code signing certificate or a purchased code signing certificate
@ -932,7 +932,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> [!Note]
> This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
> This example uses the code integrity policy that you created in the [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
@ -1034,7 +1034,7 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> [!Note]
> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer), earlier in this topic.
> [!Note]
> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
@ -1066,7 +1066,7 @@ To deploy and manage a code integrity policy with Group Policy:
In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
> [!Note]
> The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
> The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a reference computer](#create-a-code-integrity-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png)