| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -
|---|---|---|---|---|---|
 |
- |
- |
- |
- |
-  |
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| Home | -Pro | -Business | -Enterprise | -Education | -Mobile | - -
|---|---|---|---|---|---|
|
- |
- |
- |
- |
- |
-
-
| New or updated article | -Description | -
|---|---|
| BitLocker CSP | -Added support for Windows 10 Pro starting in the version 1809. - |
| Office CSP | -Added FinalStatus setting in Windows 10, version 1809. - |
| RemoteWipe CSP | -Added new settings in Windows 10, version 1809. - |
| TenantLockdown CSP | -Added new CSP in Windows 10, version 1809. - |
| WindowsDefenderApplicationGuard CSP | -Added new settings in Windows 10, version 1809. - |
| Policy DDF file | -Posted an updated version of the Policy DDF for Windows 10, version 1809. - |
| Policy CSP | -Added the following new policies in Windows 10, version 1809: -
Start/DisableContextMenus - added in Windows 10, version 1803. -RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy. - |
Start/DisableContextMenus - added in Windows 10, version 1803.
RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.| ## July 2018 -
| New or updated article | -Description | -
|---|---|
| AssignedAccess CSP | -Added the following note: -
|
| PassportForWork CSP | -Added new settings in Windows 10, version 1809. - |
| EnterpriseModernAppManagement CSP | -Added NonRemovable setting under AppManagement node in Windows 10, version 1809. - |
| Win32CompatibilityAppraiser CSP | -Added new configuration service provider in Windows 10, version 1809. - |
| WindowsLicensing CSP | -Added S mode settings and SyncML examples in Windows 10, version 1809. - |
| SUPL CSP | -Added 3 new certificate nodes in Windows 10, version 1809. - |
| Defender CSP | -Added a new node Health/ProductStatus in Windows 10, version 1809. - |
| BitLocker CSP | -Added a new node AllowStandardUserEncryption in Windows 10, version 1809. - |
| DevDetail CSP | -Added a new node SMBIOSSerialNumber in Windows 10, version 1809. - |
| Policy CSP | -Added the following new policies in Windows 10, version 1809: -
Recent changes: -
|
You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.| +|[PassportForWork CSP](passportforwork-csp.md)|Added new settings in Windows 10, version 1809.| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added NonRemovable setting under AppManagement node in Windows 10, version 1809.| +|[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)|Added new configuration service provider in Windows 10, version 1809.| +|[WindowsLicensing CSP](windowslicensing-csp.md)|Added S mode settings and SyncML examples in Windows 10, version 1809.| +|[SUPL CSP](supl-csp.md)|Added 3 new certificate nodes in Windows 10, version 1809.| +|[Defender CSP](defender-csp.md)|Added a new node Health/ProductStatus in Windows 10, version 1809.| +|[BitLocker CSP](bitlocker-csp.md)|Added a new node AllowStandardUserEncryption in Windows 10, version 1809.| +|[DevDetail CSP](devdetail-csp.md)|Added a new node SMBIOSSerialNumber in Windows 10, version 1809.| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
Recent changes:
| New or updated article | -Description | -
|---|---|
| Wifi CSP | -Added a new node WifiCost in Windows 10, version 1809. - |
| Diagnose MDM failures in Windows 10 | -Recent changes: -
|
| BitLocker CSP | -Added new node AllowStandardUserEncryption in Windows 10, version 1809. - |
| Policy CSP | -Recent changes: -
Added the following new policies in Windows 10, version 1809: -
|
| WiredNetwork CSP | -New CSP added in Windows 10, version 1809. - |
Added the following new policies in Windows 10, version 1809:
| New or updated article | -Description | -
|---|---|
| Policy DDF file | -Updated the DDF files in the Windows 10 version 1703 and 1709. - - |
| New or updated article | -Description | -
|---|---|
| WindowsDefenderApplicationGuard CSP | -Added the following node in Windows 10, version 1803: -
|
| NetworkProxy CSP | -Added the following node in Windows 10, version 1803: -
|
| Accounts CSP | -Added a new CSP in Windows 10, version 1803. - |
| MDM Migration Analysis Tool (MMAT) | -Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. - |
| CSP DDF files download | -Added the DDF download of Windows 10, version 1803 configuration service providers. - |
| Policy CSP | -Added the following new policies for Windows 10, version 1803: -
|
| New or updated article | -Description | -
|---|---|
| eUICCs CSP | -Added the following node in Windows 10, version 1803: -
|
| DeviceStatus CSP | -Added the following node in Windows 10, version 1803: -
|
| Understanding ADMX-backed policies | -Added the following videos: - - |
| AccountManagement CSP | -Added a new CSP in Windows 10, version 1803. - |
| RootCATrustedCertificates CSP | -Added the following node in Windows 10, version 1803: -
|
| Policy CSP | -Added the following new policies for Windows 10, version 1803: -
The following existing policies were updated: -
Added a new section: -
|
| Policy CSP - Bluetooth | -Added new section ServicesAllowedList usage guide. - |
| MultiSIM CSP | -Added SyncML examples and updated the settings descriptions. - |
| RemoteWipe CSP | -Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803. - |
The following existing policies were updated:
Added a new section:
| New or updated article | -Description | -
|---|---|
| Policy CSP | -Added the following new policies for Windows 10, version 1803: -
|
| VPNv2 ProfileXML XSD | -Updated the XSD and Plug-in profile example for VPNv2 CSP. - |
| AssignedAccess CSP | -Added the following nodes in Windows 10, version 1803: -
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. - |
| MultiSIM CSP | -Added a new CSP in Windows 10, version 1803. - |
| EnterpriseModernAppManagement CSP | -Added the following node in Windows 10, version 1803: -
|
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.| +|[MultiSIM CSP](multisim-csp.md)|Added a new CSP in Windows 10, version 1803.| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following node in Windows 10, version 1803:
| New or updated article | -Description | -
|---|---|
| Policy CSP | -Added the following new policies for Windows 10, version 1803: -
Added the following policies the were added in Windows 10, version 1709 -
Security/RequireDeviceEncryption - updated to show it is supported in desktop. - |
| BitLocker CSP | -Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. - |
| EnterpriseModernAppManagement CSP | -Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update. - |
| DMClient CSP | -Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803: -
|
| Defender CSP | -Added new node (OfflineScan) in Windows 10, version 1803. - |
| UEFI CSP | -Added a new CSP in Windows 10, version 1803. - |
| Update CSP | -Added the following nodes in Windows 10, version 1803: -
|
Added the following policies the were added in Windows 10, version 1709
Security/RequireDeviceEncryption - updated to show it is supported in desktop.| +|[BitLocker CSP](bitlocker-csp.md)|Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.| +|[DMClient CSP](dmclient-csp.md)|Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
| New or updated article | -Description | -
|---|---|
| Configuration service provider reference | -Added new section CSP DDF files download - |
| New or updated article | -Description | -
|---|---|
| Policy CSP | -Added the following policies for Windows 10, version 1709: -
Added missing policies from previous releases: -
|
Added missing policies from previous releases:
| New or updated article | -Description | -
|---|---|
| Policy DDF file | -Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. - |
| Policy CSP | -Updated the following policies: -
|
| eUICCs CSP | -Added new CSP in Windows 10, version 1709. - |
| AssignedAccess CSP | -Added SyncML examples for the new Configuration node. - |
| DMClient CSP | -Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. - |
- Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` | +| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | +| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. | +| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. | ## September 2017 -
| New or updated article | -Description | -
|---|---|
| Policy CSP | -Added the following new policies for Windows 10, version 1709: -
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709. - |
| AssignedAccess CSP | -Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro. - |
| Microsoft Store for Business and Microsoft Store | -Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. - |
| The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 | -The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: -
For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. - |
| EnterpriseAPN CSP | -Added a SyncML example. - |
| VPNv2 CSP | -Added RegisterDNS setting in Windows 10, version 1709. - |
| Enroll a Windows 10 device automatically using Group Policy | -Added new topic to introduce a new Group Policy for automatic MDM enrollment. - |
| MDM enrollment of Windows-based devices | -New features in the Settings app: -
For details, see Managing connections and Collecting diagnostic logs - |
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.| +|[AssignedAccess CSP](assignedaccess-csp.md)|Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.| +|Microsoft Store for Business and Microsoft Store|Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.| +|The [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)|The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.| +|[EnterpriseAPN CSP](enterpriseapn-csp.md)|Added a SyncML example.| +|[VPNv2 CSP](vpnv2-csp.md)|Added RegisterDNS setting in Windows 10, version 1709.| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Added new topic to introduce a new Group Policy for automatic MDM enrollment.| +|[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)|New features in the Settings app:
For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)| ## August 2017 -
| New or updated article | -Description | -
|---|---|
| Enable ADMX-backed policies in MDM | -Added new step-by-step guide to enable ADMX-backed policies. - |
| Mobile device enrollment | -Added the following statement: -
|
| CM_CellularEntries CSP | -Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional. - |
| EnterpriseDataProtection CSP | -Updated the Settings/EDPEnforcementLevel values to the following: -
|
| AppLocker CSP | -Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples. - |
| DeviceManageability CSP | -Added the following settings in Windows 10, version 1709: -
|
| Office CSP | -Added the following setting in Windows 10, version 1709: -
|
| BitLocker CSP | -Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. - |
| Firewall CSP | -Updated the CSP and DDF topics. Here are the changes:
-
|
| Policy DDF file | -Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
-
|
| Policy CSP | -Added the following new policies for Windows 10, version 1709: -
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials. -Changed the names of the following policies: -
Added links to the additional ADMX-backed BitLocker policies. -There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709: -
|
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.| +|[CM_CellularEntries CSP](cm-cellularentries-csp.md)|Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.| +|[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)|Updated the Settings/EDPEnforcementLevel values to the following:
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.
Changed the names of the following policies:
Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).
There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
-
+
- + TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks +
- TimeLanguageSettings/ConfigureTimeZone +
- + TimeLanguageSettings/MachineUILanguageOverwrite + +
- + TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +
+ +**TextInput/AllowTextInputSuggestionUpdate** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI. +When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image. + +Most restricted value is 0. + +Default: Enabled + + + +The following list shows the supported values: + +- 1 (Enabled) - The newer UX is downloaded from Microsoft service. +- 0 (Disabled) - The UX remains unchanged with what the operating system installs. + + + + +
+ **TextInput/ConfigureJapaneseIMEVersion** diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index c2421b3ac0..c1f1785f9d 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -22,12 +22,75 @@ manager: dansimp ## TimeLanguageSettings policies
-
+
- + TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks +
- TimeLanguageSettings/ConfigureTimeZone +
- + TimeLanguageSettings/MachineUILanguageOverwrite + +
- + TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall +
+ + +**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but are not used by any users on that machine. + +If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. + +If you disable (value 0) or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task. + + + + + + +ADMX Info: +- GP Friendly name: *Block cleanup of unused language packs* +- GP name: *BlockCleanupOfUnusedPreinstalledLangPacks* +- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + + + + + + + +
@@ -74,5 +137,103 @@ Specifies the time zone to be applied to the device. This is the standard Window
+ +**TimeLanguageSettings/MachineUILanguageOverwrite** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting controls which UI language is used for computers with more than one UI language installed. + +If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator. + +If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs. + + + + + + +ADMX Info: +- GP Friendly name: *Force selected system UI language to overwrite the user UI language* +- GP name: *MachineUILanguageOverwrite* +- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + + + + + + + + +
+ + +**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting restricts standard users from installing language features on demand. This policy does not restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.” + +If you enable this policy setting, the installation of language features is prevented for standard users. + +If you disable or do not configure this policy setting, there is no language feature installation restriction for the standard users. + + + + + + + + + + + + + diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ec5de9aacf..a89fed4218 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1222,7 +1222,6 @@ Enable IT admin to configure feature update uninstall period. Values range 2 - 6 -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Defers Feature Updates for the specified number of days. @@ -1394,8 +1393,6 @@ ADMX Info: > [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. -> > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -1929,8 +1926,6 @@ ADMX Info: -> [!NOTE] -> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. Allows IT Admins to exclude Windows Update (WU) drivers during updates. @@ -2049,7 +2044,7 @@ The following list shows the supported values: To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: ```TShell exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` @@ -2102,7 +2097,7 @@ The following list shows the supported values: To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: +2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell: ```TShell exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I' ``` @@ -2244,8 +2239,6 @@ The following list shows the supported values: -Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. - Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later. @@ -2422,38 +2415,14 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd **Update/ProductVersion** -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
@@ -2578,7 +2547,7 @@ The following list shows the supported values: > [!NOTE] -> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 8f3f00962f..703606edff 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -86,18 +86,6 @@ The following table describes settings that you can configure using the wizards | Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ | | Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ | - - - - - - - - - - - - - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard) @@ -138,7 +126,7 @@ WCD supports the following scenarios for IT administrators: * **Simple provisioning** – Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. -[Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) + [Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md) * **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 0cb346ab02..18cc716b31 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -64,8 +64,8 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Setting | Value | |:---|:---| | EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings) Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | -| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | +| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in.
Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | +| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | | AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. | @@ -243,92 +243,137 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac New-Item -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\$sid" -Force ``` - ## Policies set by shared PC mode + Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. > [!IMPORTANT] > It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. -
Policy name | Value | When set? |
|---|---|---|
Admin Templates > Control Panel > Personalization | ||
Prevent enabling lock screen slide show | Enabled | Always |
Prevent changing lock screen and logon image | Enabled | Always |
Admin Templates > System > Power Management > Button Settings | ||
Select the Power button action (plugged in) | Sleep | SetPowerPolicies=True |
Select the Power button action (on battery) | Sleep | SetPowerPolicies=True |
Select the Sleep button action (plugged in) | Sleep | SetPowerPolicies=True |
Select the lid switch action (plugged in) | Sleep | SetPowerPolicies=True |
Select the lid switch action (on battery) | Sleep | SetPowerPolicies=True |
Admin Templates > System > Power Management > Sleep Settings | ||
Require a password when a computer wakes (plugged in) | Enabled | SignInOnResume=True |
Require a password when a computer wakes (on battery) | Enabled | SignInOnResume=True |
Specify the system sleep timeout (plugged in) | SleepTimeout | SetPowerPolicies=True |
Specify the system sleep timeout (on battery) | SleepTimeout | SetPowerPolicies=True |
| Turn off hybrid sleep (plugged in) | Enabled | SetPowerPolicies=True |
| Turn off hybrid sleep (on battery) | Enabled | SetPowerPolicies=True |
| Specify the unattended sleep timeout (plugged in) | SleepTimeout | SetPowerPolicies=True |
| Specify the unattended sleep timeout (on battery) | SleepTimeout | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (plugged in) | Enabled | SetPowerPolicies=True |
| Allow standby states (S1-S3) when sleeping (on battery) | Enabled | SetPowerPolicies=True |
| Specify the system hibernate timeout (plugged in) | Enabled, 0 | SetPowerPolicies=True |
| Specify the system hibernate timeout (on battery) | Enabled, 0 | SetPowerPolicies=True |
| Admin Templates>System>Power Management>Video and Display Settings | ||
| Turn off the display (plugged in) | SleepTimeout | SetPowerPolicies=True |
| Turn off the display (on battery | SleepTimeout | SetPowerPolicies=True |
| Admin Templates>System>Power Management>Energy Saver Settings | ||
| Energy Saver Battery Threshold (on battery) | 70 | SetPowerPolicies=True |
| Admin Templates>System>Logon | ||
| Show first sign-in animation | Disabled | Always |
| Hide entry points for Fast User Switching | Enabled | Always |
| Turn on convenience PIN sign-in | Disabled | Always |
| Turn off picture password sign-in | Enabled | Always |
| Turn off app notification on the lock screen | Enabled | Always |
| Allow users to select when a password is required when resuming from connected standby | Disabled | SignInOnResume=True |
-
| Block user from showing account details on sign-in | Enabled | Always |
| Admin Templates>System>User Profiles | ||
| Turn off the advertising ID | Enabled | SetEduPolicies=True |
| Admin Templates>Windows Components | ||
| Do not show Windows Tips | Enabled | SetEduPolicies=True |
| Turn off Microsoft consumer experiences | Enabled | SetEduPolicies=True |
| Microsoft Passport for Work | Disabled | Always |
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Admin Templates>Windows Components>Biometrics | ||
| Allow the use of biometrics | Disabled | Always |
| Allow users to log on using biometrics | Disabled | Always |
| Allow domain users to log on using biometrics | Disabled | Always |
| Admin Templates>Windows Components>Data Collection and Preview Builds | ||
| Toggle user control over Insider builds | Disabled | Always |
| Disable pre-release features or settings | Disabled | Always |
| Do not show feedback notifications | Enabled | Always |
| Allow Telemetry | Basic, 0 | SetEduPolicies=True |
| Admin Templates>Windows Components>File Explorer | ||
| Show lock in the user tile menu | Disabled | Always |
| Admin Templates>Windows Components>Maintenance Scheduler | ||
| Automatic Maintenance Activation Boundary | MaintenanceStartTime | Always |
| Automatic Maintenance Random Delay | Enabled, 2 hours | Always |
| Automatic Maintenance WakeUp Policy | Enabled | Always |
| Admin Templates>Windows Components>Windows Hello for Business | ||
| Use phone sign-in | Disabled | Always |
| Use Windows Hello for Business | Disabled | Always |
| Use biometrics | Disabled | Always |
| Admin Templates>Windows Components>OneDrive | ||
| Prevent the usage of OneDrive for file storage | Enabled | Always |
| Windows Settings>Security Settings>Local Policies>Security Options |
-||
| Interactive logon: Do not display last user name | Enabled, Disabled when account model is only guest | Always |
| Interactive logon: Sign-in last interactive user automatically after a system-initiated restart | Disabled | Always |
-
| Shutdown: Allow system to be shut down without having to log on | Disabled | Always |
| User Account Control: Behavior of the elevation prompt for standard users | Auto deny | Always |
- S = Supported; Not considered a downgrade or an upgrade
-[blank] = Not supported or not a downgrade
+✔ = Supported downgrade path -
-
| Destination edition | -|||||||||
|---|---|---|---|---|---|---|---|---|---|
| - | - | Home | -Pro | -Pro for Workstations | -Pro Education | -Education | -Enterprise LTSC | -Enterprise | -|
| Starting edition | -|||||||||
| Home | -- | - | - | - | - | - | - | ||
| Pro | -- | - | - | - | - | - | - | ||
| Pro for Workstations | -- | - | - | - | - | - | - | ||
| Pro Education | -- | - | - | - | - | - | - | ||
| Education | -- | ✔ | -✔ | -✔ | -- | - | S | -||
| Enterprise LTSC | -- | - | - | - | - | - | - | ||
| Enterprise | -- | ✔ | -✔ | -✔ | -S | -- | - | ||
[Windows 10 volume license media](../windows-10-media.md)
-[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) \ No newline at end of file +[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index b8352c8389..d63a5a3512 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -28,64 +28,16 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios. +The table below provides support details for specific deployment scenarios (Boot Image Version). + +||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| +|--- |--- |--- |--- |--- |--- | +|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| +|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| +|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.| +|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.| +|**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.| -
-
| - | - | Windows 10 | -Windows Server 2016 | -Windows Server 2019 | -Windows Server 2022 | -Windows 11 | -
|---|---|---|---|---|---|---|
|
- Boot image version |
- ||||||
| Windows 10 | -Supported, using a boot image from matching or newer version. | -Supported, using a boot image from Windows 10, version 1607 or later. | -Supported, using a boot image from Windows 10, version 1809 or later. | -Not supported. | -Not supported. | -|
| Windows Server 2016 | -Supported, using a boot image from Windows 10, version 1607 or later. | -Supported. | -Not supported. | -Not supported. | -Not supported. | -|
| Windows Server 2019 | -Supported, using a boot image from Windows 10, version 1809 or later. | -Supported. | -Supported. | -Not supported. | -Not supported. | -|
| Windows Server 2022 | -Deprecated, with a warning message. | -Deprecated, with a warning message. | -Deprecated, with a warning message. | -Deprecated, with a warning message. | -Not supported. | -|
| Windows 11 | -Not supported, blocked. | -Not supported, blocked. | -Not supported, blocked. | -Not supported, blocked. | -Not supported, blocked. | -
-
| Category | -Scenario | -Description | -More information |
| Modern | -+### Modern -[Windows Autopilot](#windows-autopilot) | -- Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. - | --Overview of Windows Autopilot - | -
|
+|Scenario|Description|More information|
+|--- |--- |--- |
+|[Windows Autopilot](#windows-autopilot)|Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured|[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot)|
+|[In-place upgrade](#in-place-upgrade)|Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.|[Perform an in-place upgrade to Windows 10 with MDT](/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit) [Perform an in-place upgrade to Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager)| -[In-place upgrade](#in-place-upgrade) +### Dynamic - |
- - Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old. - | -
-Perform an in-place upgrade to Windows 10 with MDT Perform an in-place upgrade to Windows 10 using Configuration Manager - |
- |
| - Dynamic - | -+|Scenario|Description|More information| +|--- |--- |--- | +|[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)| +|[AAD / MDM](#dynamic-provisioning)|The device is automatically joined to AAD and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)| +|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)| -[Subscription Activation](#windows-10-subscription-activation) - | -- Switch from Windows 10 Pro to Enterprise when a subscribed user signs in. - | --Windows 10 Subscription Activation - | -
| - - [AAD / MDM](#dynamic-provisioning) - | -- The device is automatically joined to AAD and configured by MDM. - | --Azure Active Directory integration with MDM - | -|
| - - [Provisioning packages](#dynamic-provisioning) - | -- Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices. - | --Configure devices without MDM - | -|
| - Traditional - | -- - [Bare metal](#new-computer) - | -- Deploy a new device, or wipe an existing device and deploy with a fresh image. - | -
- Deploy a Windows 10 image using MDT Deploy Windows 10 using PXE and Configuration Manager - |
-
| - - [Refresh](#computer-refresh) - | -- Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. - | -
- Refresh a Windows 7 computer with Windows 10 Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager - |
- |
| - - [Replace](#computer-replace) - | -- Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device. - | -
- Replace a Windows 7 computer with a Windows 10 computer Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager - |
-
+### Traditional +|Scenario|Description|More information| +|--- |--- |--- | +|[Bare metal](#new-computer)|Deploy a new device, or wipe an existing device and deploy with a fresh image. |[Deploy a Windows 10 image using MDT](/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt)
[Deploy Windows 10 using PXE and Configuration Manager](/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager)| +|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)| +|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)| >[!IMPORTANT] >The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
@@ -176,8 +94,11 @@ Scenarios that support in-place upgrade with some additional procedures include There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: - Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers. + - Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. + - Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS. + - Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken. diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index c59e537d48..6cc78efe42 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -25,7 +25,8 @@ ms.topic: article - Windows 10 -**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: +> [!IMPORTANT] +> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: - [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide: @@ -36,7 +37,7 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network. ->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. +This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. ## In this guide @@ -44,23 +45,15 @@ This guide provides instructions to install and configure the Microsoft Deployme Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. -
- -
-
-
-
-
-
+|Topic|Description|Time|
+|--- |--- |--- |
+|[About MDT](#about-mdt)|A high-level overview of the Microsoft Deployment Toolkit (MDT).|Informational|
+|[Install MDT](#install-mdt)|Download and install MDT.|40 minutes|
+|[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)|A reference image is created to serve as the template for deploying new images.|90 minutes|
+|[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)|The reference image is deployed in the PoC environment.|60 minutes|
+|[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)|Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.|60 minutes|
+|[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)|Back up an existing client computer, then restore this backup to a new computer.|60 minutes|
+|[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)|Log locations and troubleshooting hints.|Informational|
## About MDT
@@ -73,18 +66,19 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
- ```
+ ```powershell
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
```
+
2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
3. If desired, re-enable IE Enhanced Security Configuration:
- ```
+ ```powershell
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
Stop-Process -Name Explorer
```
@@ -95,7 +89,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
- ```
+ ```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
@@ -130,7 +124,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
- Progress: wait for files to be copied
- Confirmation: click **Finish**
- >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+ For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**| Topic | Description | Time - - |
| About MDT | A high-level overview of the Microsoft Deployment Toolkit (MDT). | Informational - |
| Install MDT | Download and install MDT. | 40 minutes - |
| Create a deployment share and reference image | A reference image is created to serve as the template for deploying new images. | 90 minutes - |
| Deploy a Windows 10 image using MDT | The reference image is deployed in the PoC environment. | 60 minutes - |
| Refresh a computer with Windows 10 | Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. | 60 minutes - |
| Replace a computer with Windows 10 | Back up an existing client computer, then restore this backup to a new computer. | 60 minutes - |
| Troubleshooting logs, events, and utilities | Log locations and troubleshooting hints. | Informational - |
@@ -141,7 +135,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi - Specify Product Key: **Do not specify a product key at this time** - Full Name: **Contoso** - Organization: **Contoso** - - Internet Explorer home page: **http://www.contoso.com** + - Internet Explorer home page: `http://www.contoso.com` - Admin Password: **Do not specify an Administrator password at this time** - Summary: click **Next** - Confirmation: click **Finish** @@ -159,7 +153,8 @@ A reference image serves as the foundation for Windows 10 devices in your organi 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. + > [!NOTE] + > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. 18. Click **OK** to complete editing the task sequence. @@ -167,7 +162,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 20. Replace the default rules with the following text: - ``` + ```text [Settings] Priority=Default @@ -202,7 +197,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi 21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: - ``` + ```text [Settings] Priority=Default @@ -222,20 +217,18 @@ A reference image serves as the foundation for Windows 10 devices in your organi 25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - >Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + > [!TIP] + > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. 26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: -
-
+ ```
The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
@@ -307,7 +300,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
- ```
+ ```powershell
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
```
@@ -315,7 +308,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
- ```
+ ```text
[Settings]
Priority=Default
@@ -351,19 +344,21 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
SkipFinalSummary=NO
EventService=http://SRV1:9800
```
- **Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
+
+ > [!NOTE]
+ > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
- >In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
+ In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
- ```
+ ```console
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following:
- ```
+ ```console
ScanStateArgs=/all
```
@@ -371,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
- ```
+ ```text
[Settings]
Priority=Default
@@ -382,6 +377,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
UserPassword=pass@word1
SkipBDDWelcome=YES
```
+
5. Click **OK** when finished.
### Update the deployment share
@@ -406,7 +402,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
- ```
+ ```powershell
WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All
```
@@ -421,11 +417,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway.
- >**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
+ > [!NOTE]
+ > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
- ```
+ ```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
@@ -434,28 +431,30 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
- ```
+ ```powershell
New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
```
- >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
+ Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
3. Start the new VM and connect to it:
- ```
+ ```powershell
Start-VM PC2
vmconnect localhost PC2
```
+
4. When prompted, hit ENTER to start the network boot process.
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
- ```
+ ```powershell
Enable-NetAdapter "Ethernet 2"
```
+
7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
@@ -470,34 +469,36 @@ This section will demonstrate how to export user data from an existing client co
1. If the PC1 VM is not already running, then start and connect to it:
- ```
+ ```powershell
Start-VM PC1
vmconnect localhost PC1
```
2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
3. Sign on to PC1 using the CONTOSO\Administrator account.
- >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
+ Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
4. Open an elevated command prompt on PC1 and type the following:
- ```
+ ```console
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
- **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
+ > [!NOTE]
+ > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
6. Choose **Do not back up the existing computer** and click **Next**.
- **Note**: The USMT will still back up the computer.
+ > [!NOTE]
+ > The USMT will still back up the computer.
7. Lite Touch Installation will perform the following actions:
- Back up user settings and data using USMT.
@@ -511,13 +512,13 @@ This section will demonstrate how to export user data from an existing client co
9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
- ```
+ ```powershell
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
Start-VM PC1
vmconnect localhost PC1
@@ -537,11 +538,12 @@ At a high level, the computer replace process consists of:
-
+ ```powershell
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
Start-VM REFW10X64-001
vmconnect localhost REFW10X64-001
-
- 2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share. 3. Type the following commands at an elevated Windows PowerShell prompt on SRV1: - ``` + ```powershell New-Item -Path C:\MigData -ItemType directory New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)' ``` + 4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**. 5. Name the new folder **Other**, and complete the wizard using default options. 6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard: @@ -556,21 +558,22 @@ At a high level, the computer replace process consists of:
1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt: - ``` + ```console whoami ``` 2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1: - ``` + ```powershell Remove-Item c:\minint -recurse Remove-Item c:\_SMSTaskSequence -recurse Restart-Computer ``` 3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: - ``` + ```console cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` + 4. Complete the deployment wizard using the following: - **Task Sequence**: Backup Only Task Sequence - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** @@ -579,7 +582,7 @@ At a high level, the computer replace process consists of:
6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: - ``` + ```powershell PS C:\> dir C:\MigData\PC1\USMT Directory: C:\MigData\PC1\USMT @@ -588,49 +591,52 @@ At a high level, the computer replace process consists of:
---- ------------- ------ ---- -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG ``` - ### Deploy PC3 -8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: +### Deploy PC3 - ``` +1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: + + ```powershell New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 ``` -9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: - ``` +2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: + + ```powershell Disable-NetAdapter "Ethernet 2" -Confirm:$false ``` - >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. -10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - ``` + ```powershell Start-VM PC3 vmconnect localhost PC3 ``` -11. When prompted, press ENTER for network boot. +4. When prompted, press ENTER for network boot. -12. On PC3, use the following settings for the Windows Deployment Wizard: +5. On PC3, use the following settings for the Windows Deployment Wizard: - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - **Move Data and Settings**: Do not move user data and settings - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** -13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: +6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - ``` + ```powershell Enable-NetAdapter "Ethernet 2" ``` -14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. -15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. +7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. -16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. +8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. -17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. +9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. ## Troubleshooting logs, events, and utilities diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 3855f4698d..fe437a325e 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -39,6 +39,7 @@ Approximately 3 hours are required to configure the PoC environment. You will ne Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. +> [!TIP] > Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. > > A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. @@ -53,26 +54,22 @@ After completing the instructions in this guide, you will have a PoC environment Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. -
+
-
-
-
-
-
+|Topic|Description|Time|
+|--- |--- |--- |
+|[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational|
+|[Lab setup](#lab-setup)|A description and diagram of the PoC environment.|Informational|
+|[Configure the PoC environment](#configure-the-poc-environment)|Parent topic for procedures.|Informational|
+|[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)|Verify that installation of Hyper-V is supported, and install the Hyper-V server role.|10 minutes|
+|[Download VHD and ISO files](#download-vhd-and-iso-files)|Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.|30 minutes|
+|[Convert PC to VM](#convert-pc-to-vm)|Convert a physical computer on your network to a VM hosted in Hyper-V.|30 minutes|
+|[Resize VHD](#resize-vhd)|Increase the storage capacity for one of the Windows Server VMs.|5 minutes|
+|[Configure Hyper-V](#configure-hyper-v)|Create virtual switches, determine available RAM for virtual machines, and add virtual machines.|15 minutes|
+|[Configure service and user accounts](#configure-vms)|Start virtual machines and configure all services and settings.|60 minutes|
+|[Configure VMs](#configure-vms)|Start virtual machines and configure all services and settings.|60 minutes|
+|[Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)|Verify and troubleshoot network connectivity and services in the PoC environment.|30 minutes|
+|[Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)|Terms used in this guide.|Informational|
## Hardware and software requirements
@@ -83,68 +80,25 @@ One computer that meets the hardware and software specifications below is requir
Hardware requirements are displayed below:
-| Topic | Description | Time |
| Hardware and software requirements | Prerequisites to complete this guide. | Informational - |
| Lab setup | A description and diagram of the PoC environment. | Informational - |
| Configure the PoC environment | Parent topic for procedures. | Informational - |
| Verify support and install Hyper-V | Verify that installation of Hyper-V is supported, and install the Hyper-V server role. | 10 minutes - |
| Download VHD and ISO files | Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host. | 30 minutes - |
| Convert PC to VM | Convert a physical computer on your network to a VM hosted in Hyper-V. | 30 minutes - |
| Resize VHD | Increase the storage capacity for one of the Windows Server VMs. | 5 minutes - |
| Configure Hyper-V | Create virtual switches, determine available RAM for virtual machines, and add virtual machines. | 15 minutes - |
| Configure service and user accounts | Start virtual machines and configure all services and settings. | 60 minutes - |
| Configure VMs | Start virtual machines and configure all services and settings. | 60 minutes - |
| Appendix A: Verify the configuration | Verify and troubleshoot network connectivity and services in the PoC environment. | 30 minutes - |
| Appendix B: Terminology in this guide | Terms used in this guide. | Informational - |
-
-
-
+
+||Computer 1 (required)|Computer 2 (recommended)| +|--- |--- |--- | +|**Role**|Hyper-V host|Client computer| +|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.| +|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later| +|**Edition**|Enterprise, Professional, or Education|Any| +|**Architecture**|64-bit|Any
*Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*| +|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any| +|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.| +|**CPU**|SLAT-Capable CPU|Any| +|**Network**|Internet connection|Any| \*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
-
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. -
+The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows.
+
+
## Lab setup
@@ -156,13 +110,15 @@ The lab architecture is summarized in the following diagram:
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
- Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
->If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
+> [!NOTE]
+> If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts.
## Configure the PoC environment
->**Hint**: Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
+> [!TIP]
+> Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
### Procedures in this section
@@ -179,7 +135,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
- | - | Computer 1 (required) | -Computer 2 (recommended) | -
| Role | -Hyper-V host | -Client computer | -
| Description | -This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. | -This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process. | -
| OS | -Windows 8.1/10 or Windows Server 2012/2012 R2/2016* | -Windows 7 or a later | -
| Edition | -Enterprise, Professional, or Education | -Any | -
| Architecture | -64-bit | -Any Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade. |
-
| RAM | -8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
- 16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager. |
- Any | -
| Disk | -200 GB available hard disk space, any format. | -Any size, MBR formatted. | -
| CPU | -SLAT-Capable CPU | -Any | -
| Network | -Internet connection | -Any | -
+||Computer 1 (required)|Computer 2 (recommended)| +|--- |--- |--- | +|**Role**|Hyper-V host|Client computer| +|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.| +|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later| +|**Edition**|Enterprise, Professional, or Education|Any| +|**Architecture**|64-bit|Any
*Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*| +|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any| +|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.| +|**CPU**|SLAT-Capable CPU|Any| +|**Network**|Internet connection|Any| \*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. -
-
The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. -
+ ```console
C:\>systeminfo
...
@@ -187,7 +143,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
-
+ ```
In this example, the computer supports SLAT and Hyper-V.
@@ -195,7 +151,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
+ ```console
C:\>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -208,27 +164,32 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
HYPERVISOR - Hypervisor is present
VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-
+ ```
- Note: A 64-bit operating system is required to run Hyper-V.
+ > [!NOTE]
+ > A 64-bit operating system is required to run Hyper-V.
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All+ ```powershell + Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All + ``` This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: -
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools+ ```powershell + Install-WindowsFeature -Name Hyper-V -IncludeManagementTools + ``` When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:   -
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. ### Download VHD and ISO files @@ -236,63 +197,65 @@ When you have completed installation of Hyper-V on the host computer, begin conf 1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. - **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. + > [!IMPORTANT] + > This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. -
 |
-C:>mkdir VHD -C:>cd VHD -C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd -C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd - 1 file(s) copied. -C:\VHD ren *.iso w10-enterprise.iso -C:\VHD>dir /B -2012R2-poc-1.vhd -2012R2-poc-2.vhd -w10-enterprise.iso -+ ```console + C:>mkdir VHD + C:>cd VHD + C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd + C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd + 1 file(s) copied. + C:\VHD ren *.iso w10-enterprise.iso + C:\VHD>dir /B + 2012R2-poc-1.vhd + 2012R2-poc-2.vhd + w10-enterprise.iso + ``` ### Convert PC to VM ->Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. +> [!IMPORTANT] +> Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. -
|
If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
- -
|
-
-
-
-
-
+||Architecture|Operating system|Partition style|
+|--- |--- |--- |--- |
+|**Generation 1**|32-bit or 64-bit|Windows 7 or later|MBR|
+|**Generation 2**|64-bit|Windows 8 or later|MBR or GPT|
If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
-| - | Architecture | -Operating system | -Partition style | -
| Generation 1 | -32-bit or 64-bit | -Windows 7 or later | -MBR | -
| Generation 2 | -64-bit | -Windows 8 or later | -MBR or GPT | -
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type -+ ```powershell + Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type + ``` If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: -
+```powershell PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type ---------- ------- ---- USER-PC1 Disk #0, Partition #0 GPT: System USER-PC1 Disk #0, Partition #1 GPT: Basic Data -+``` On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format: -
+```powershell PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type SystemName Caption Type @@ -364,176 +307,162 @@ PS C:> Get-Disk Number Friendly Name OperationalStatus Total Size Partition Style ------ ------------- ----------------- ---------- --------------- 0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT -+``` **Choosing a VM generation** -The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. +The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included. -
+**Windows 7 MBR**
-
-
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-
+**Windows 7 GPT**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|N/A|N/A|
+|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
+
+**Windows 8 or later MBR**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
+
+**Windows 8 or later GPT**
+
+|Architecture|VM generation|Procedure|
+|--- |--- |--- |
+|32|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
+|64|2|[Prepare a generation 2 VM](#prepare-a-generation-2-vm)|
+
+> [!NOTE]
+>
+>- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
+>
+>- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
+>
+>- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
-Notes:| OS | -Partition style | -Architecture | -VM generation | -Procedure | -
| Windows 7 | -MBR | -32 | -1 | -Prepare a generation 1 VM | -
| 64 | -1 | -Prepare a generation 1 VM | -||
| GPT | -32 | -N/A | -N/A | -|
| 64 | -1 | -Prepare a generation 1 VM from a GPT disk | -||
| Windows 8 or later | -MBR | -32 | -1 | -Prepare a generation 1 VM | -
| 64 | -1, 2 | -Prepare a generation 1 VM | -||
| GPT | -32 | -1 | -Prepare a generation 1 VM from a GPT disk | -|
| 64 | -2 | -Prepare a generation 2 VM | -
-
-
-
- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk. -
- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM. -
- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM. -
+ ```cmd
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
w10-enterprise.iso
w7.VHDX
-
+ ```
#### Prepare a generation 2 VM
1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
- >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+ > [!TIP]
+ > You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
- mountvol s: /s+ ```console + mountvol s: /s + ``` This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. - **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. + > [!IMPORTANT] + > You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. 5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:  - >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: -
+ ```console
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
w10-enterprise.iso
PC1.VHDX
-
+ ```
#### Prepare a generation 1 VM from a GPT disk
1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
- >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
+ You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
+
+ > [!NOTE]
+ > The system volume is not copied in this scenario, it will be added later.
+
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
+ Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+ ```cmd
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
w10-enterprise.iso
w7.VHD
-
+ ```
- >In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
+ In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
### Resize VHD
-Enhanced session mode -**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. +> [!IMPORTANT] +> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: -
Set-VMhost -EnableEnhancedSessionMode $TRUE+```powershell +Set-VMhost -EnableEnhancedSessionMode $TRUE +``` ->If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. +If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
@@ -541,58 +470,66 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: -
+ ```powershell
Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
-
+ ```
2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
+ ```powershell
Get-Volume -DriveLetter $x
- Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
+ Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
+ ```
### Configure Hyper-V
1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
- >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:- A) Remove the existing external virtual switch, then add the poc-external switch
- B) Rename the existing external switch to "poc-external"
- C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options: + + **A**: Remove the existing external virtual switch, then add the poc-external switch + + **B**: Rename the existing external switch to "poc-external" + + **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ If you choose B) or C), then do not run the second command below. -
+ ```powershell
New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
-
+ ```
- **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host.
+ > [!NOTE]
+ > The second command above will temporarily interrupt network connectivity on the Hyper-V host.
- >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
+ Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"
2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
+ ```powershell
(Get-VMHostNumaNode).MemoryAvailable
-
+ ```
This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory.
3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
-
+ ```powershell
(Get-VMHostNumaNode).MemoryAvailable/4
2775.5
-
+ ```
In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
- >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
+ > [!IMPORTANT]
+ > Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
+
+ ```powershell
$maxRAM = 2700MB
New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
@@ -601,35 +538,37 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
-
+ ```
- **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
+ > [!NOTE]
+ > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
+ ```powershell
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
+ ```
To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
+ ```powershell
New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
-
+ ```
To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
- >Note: The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
+ > [!NOTE]
+ > The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
-
+ ```powershell
New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
Mount-VHD -Passthru |
Get-Disk -Number {$_.DiskNumber} |
@@ -637,11 +576,11 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
New-Partition -UseMaximumSize |
Format-Volume -Confirm:$false -FileSystem NTFS -force
Dismount-VHD -Path c:\vhd\d.vhd
-
+ ```
Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
-
+ ```powershell
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
@@ -649,7 +588,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
Start-VM PC1
vmconnect localhost PC1
-
+ ```
The VM will automatically boot into Windows Setup. In the PC1 window:
@@ -659,13 +598,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. Click **Command Prompt**.
5. Type the following command to save an image of the OS drive:
-
+ ```console
dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-
+ ```
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
+ ```console
diskpart
select disk 0
clean
@@ -677,121 +616,122 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
format fs=ntfs quick label=OS
assign letter=c
exit
-
+ ```
7. Type the following commands to restore the OS image and boot files:
-
+ ```console
dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot c:\windows
exit
-
+ ```
8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
- - Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1 - Set-VMDvdDrive -VMName PC1 -Path $null -+ ```powershell + Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1 + Set-VMDvdDrive -VMName PC1 -Path $null + ``` ### Configure VMs 1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: -
+ ```powershell
Start-VM DC1
vmconnect localhost DC1
-
+ ```
2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
+ ```powershell
Rename-Computer DC1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
-
+ ```
- > The default gateway at 192.168.0.2 will be configured later in this guide.
- >
- > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+ The default gateway at 192.168.0.2 will be configured later in this guide.
+
+ > [!NOTE]
+ > A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
+ ```powershell
Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
-
+ ```
7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
+ ```powershell
Restart-Computer
-
+ ```
8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
+ ```powershell
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
-
+ ```
Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
+ ```powershell
Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
Add-WindowsFeature -Name DHCP -IncludeManagementTools
netsh dhcp add securitygroups
Restart-Service DHCPServer
Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
-
+ ```
10. Next, add a DHCP scope and set option values:
-
+ ```powershell
Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
-
+ ```
- >The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
+ The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0.
11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
+ ```powershell
Get-DnsServerForwarder
-
+ ```
The following output should be displayed:
-
+ ```powershell
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
IPAddress : 192.168.0.2
ReorderedIPAddress : 192.168.0.2
-
+ ```
If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
-
+ ```powershell
Add-DnsServerForwarder -IPAddress 192.168.0.2
-
+ ```
**Configure service and user accounts**
Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
- >To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+ To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+ ```powershell
New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
@@ -802,7 +742,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
-
+ ```
12. Minimize the DC1 VM window but **do not stop** the VM.
@@ -810,20 +750,20 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
+ ```powershell
Start-VM PC1
vmconnect localhost PC1
-
+ ```
14. Sign in to PC1 using an account that has local administrator rights.
- >PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
+ PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
+ If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**.
@@ -831,7 +771,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection:
- ```
+ ```console
ipconfig
Windows IP Configuration
@@ -862,99 +802,108 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
```
- >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
+ > [!NOTE]
+ > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
+ ```powershell
(Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
Add-Computer -DomainName contoso.com -Credential $cred
Restart-Computer
-
+ ```
- >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
+ If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**.
See the following example:
- 
+ :::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png":::
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
+
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
+ ```powershell
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
-
+ ```
- >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+ > [!NOTE]
+ > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
+ ```powershell
Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
-
+ ```
- >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
+ The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
- >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+
+ > [!IMPORTANT]
+ > The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+
23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
+
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
+ ```powershell
Start-VM SRV1
vmconnect localhost SRV1
-
+ ```
25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**.
+
26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+
27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
+ ```powershell
Rename-Computer SRV1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
Restart-Computer
-
+ ```
- >[!IMPORTANT]
- >Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
+ > [!IMPORTANT]
+ > Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
+ ```powershell
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
Add-Computer -DomainName contoso.com -Credential $cred
Restart-Computer
-
+ ```
29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
+ ```powershell
Install-WindowsFeature -Name DNS -IncludeManagementTools
Install-WindowsFeature -Name WDS -IncludeManagementTools
Install-WindowsFeature -Name Routing -IncludeManagementTools
-
+ ```
30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
+ ```powershell
Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
IPAddress InterfaceAlias
--------- --------------
10.137.130.118 Ethernet 2
192.168.0.2 Ethernet
-
+ ```
In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
@@ -964,37 +913,38 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
+ ```powershell
Install-RemoteAccess -VpnType Vpn
cmd /c netsh routing ip nat install
cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
-
+ ```
32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
+ ```powershell
Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
-
+ ```
33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
+ ```powershell
ping www.microsoft.com
-
+ ```
If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
- **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
+ > [!NOTE]
+ > This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
+ ```powershell
Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
-
+ ```
34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
-
+ ```powershell
PS C:\> ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
@@ -1007,15 +957,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
-
+ ```
35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
+ ```powershell
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
-
+ ```
This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
@@ -1025,7 +975,7 @@ Use the following procedures to verify that the PoC environment is configured pr
1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+ ```powershell
Get-Service NTDS,DNS,DHCP
DCDiag -a
Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
@@ -1034,72 +984,79 @@ Use the following procedures to verify that the PoC environment is configured pr
Get-DhcpServerInDC
Get-DhcpServerv4Statistics
ipconfig /all
-
+ ```
- **Get-Service** displays a status of "Running" for all three services.- **DCDiag** displays "passed test" for all tests.
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
- **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
- **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
- **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
- **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
+ **Get-Service** displays a status of "Running" for all three services. + + **DCDiag** displays "passed test" for all tests. + + **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered. + + **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2. + + **Resolve-DnsName** displays public IP address results for `www.microsoft.com`. + + **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`. + + **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host). + **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: -
+ ```powershell
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
ipconfig /all
netsh int ipv4 show address
-
+ ```
+
+ **Get-Service** displays a status of "Running" for both services.
+
+ **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
+
+ **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
+
+ **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
- **Get-Service** displays a status of "Running" for both services.- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names.
- **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
- **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network.
**netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: -
+ ```powershell
whoami
hostname
nslookup www.microsoft.com
ping -n 1 dc1.contoso.com
tracert www.microsoft.com
-
+ ```
+
+ **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+
+ **hostname** displays the name of the local computer, for example W7PC-001.
+
+ **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+
+ **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
- **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.- **hostname** displays the name of the local computer, for example W7PC-001.
- **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target.
**tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. ## Appendix B: Terminology used in this guide -
- -
-
-
-
-
-
+|Term|Definition|
+|--- |--- |
+|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
+|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
+|Hyper-V host|The computer where Hyper-V is installed.|
+|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
+|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
+|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
+|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
+|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
+|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
+|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
## Related Topics
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 23a3c69aae..cd0a734c01 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -179,9 +179,6 @@ conceptualContent:
- url: /windows/security/index
itemType: overview
text: Windows Enterprise Security
- - url: /windows/privacy/index
- itemType: overview
- text: Windows Privacy
- url: /windows/security/hardware
itemType: overview
text: Hardware security
@@ -193,10 +190,13 @@ conceptualContent:
text: Application security
- url: /windows/security/identity
itemType: overview
- text: User and identity security
+ text: Identity and privacy
- url: /windows/security/cloud
itemType: overview
text: Cloud services
+ - url: /windows/privacy/index
+ itemType: overview
+ text: Windows Privacy
# additionalContent section (optional)
# Card with summary style
diff --git a/windows/security/identity.md b/windows/security/identity.md
index 0cfa07beba..7e2e8ca4b9 100644
--- a/windows/security/identity.md
+++ b/windows/security/identity.md
@@ -13,7 +13,7 @@ ms.prod: m365-security
ms.technology: windows-sec
---
-# Windows identity and user security
+# Windows identity and privacy
Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 7cf2f166da..c76ead4afc 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -29,18 +29,18 @@ In Windows client, hardware and software work together to help protect you from
See the following articles to learn more about the different areas of Windows threat protection:
-- [Application Control](/windows-defender-application-control/windows-defender-application-control.md)
+- [Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)
- [Attack Surface Reduction Rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
- [Controlled Folder Access](/microsoft-365/security/defender-endpoint/controlled-folders)
- [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection)
-- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md)
+- [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
+- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
-- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md)
+- [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md)
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
### Next-generation protection
Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time.
| Term - | Definition - |
| GPT | GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. - |
| Hyper-V | Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8. - |
| Hyper-V host | The computer where Hyper-V is installed. - |
| Hyper-V Manager | The user-interface console used to view and configure Hyper-V. - |
| MBR | Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. - |
| Proof of concept (PoC) | Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. - |
| Shadow copy | A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. - |
| Virtual machine (VM) | A VM is a virtual computer with its own operating system, running on the Hyper-V host. - |
| Virtual switch | A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. - |
| VM snapshot | A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. - |