deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into aljupudi-5548201-htmltomdtable-batch16

Browse Source
This commit is contained in:
Alekhya Jupudi 2021-11-22 11:53:16 +05:30
commit 2f49825f78
173 changed files with 11229 additions and 16244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
.openpublishing.redirection.json
View File

@ -19114,46 +19114,6 @@
"source_path": "windows/security/identity-protection/change-history-for-access-protection.md",
"redirect_url": "/windows/security/",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-11-deployment-information",
"redirect_document_id": false
},
{
"source_path": "windows/deploy-windows-cm/upgrade-to-windows-with-configuraton-manager.md",

76
browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
View File

@ -201,68 +201,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | Off |
|Turn on Site Discovery XML output | Blank |
**Turn on WMI recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | On |
|Turn on Site Discovery XML output | Blank |
**To turn on XML recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | Off |
|Turn on Site Discovery XML output | XML file path |
**To turn on both WMI and XML recording**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name |Option |
|---------|---------|
|Turn on Site Discovery WMI output | On |
|Turn on Site Discovery XML output | XML file path |
## Use Configuration Manager to collect your data
After youve collected your data, youll need to get the local files off of your employees computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:

135
browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md
View File

@ -60,132 +60,21 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;rules&gt;</td>
<td>Root node for the schema.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;emie&gt;</td>
<td>The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt;
&lt;emie&gt;
&lt;domain&gt;10.122.34.99:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the &lt;docMode&gt; section that uses the same value as a &lt;domain&gt; element in the &lt;emie&gt; section, the &lt;emie&gt; element is applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version="205"&gt;
&lt;docMode&gt;
&lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt;
&lt;/docMode&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;domain&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com:8080&lt;/domain&gt;
&lt;/emie&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;path&gt;</td>
<td>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path exclude="true"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;rules&gt; | Root node for the schema.<br>**Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br> &lt;/rules&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;emie&gt; |The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. <br> **Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; <br> </pre><p> **or** <br> For IPv6 ranges: <pre class="syntax"><br>&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; </pre><p> <br> **or**<br> For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; | Internet Explorer 11 and Microsoft Edge |
|&lt;docMode&gt; |The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the docMode section that uses the same value as a &lt;domain&gt; element in the emie section, the emie element is applied. <br> **Example** <pre class="syntax"> <br/>&lt;rules version="205"&gt; <br> &lt;docmode&gt; <br> &lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt; <br> &lt;/docmode&gt;<br>&lt;/rules&gt; |Internet Explorer 11 |
|&lt;domain&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element. <br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain&gt;contoso.com:8080&lt;/domain&gt;<br>&lt;/emie&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;version&gt;</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;exclude&gt;</td>
<td>Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path exclude="true"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;docMode&gt; section.
<p><b>Example</b>
<pre class="syntax">
&lt;docMode&gt;
&lt;domain exclude="false"&gt;fabrikam.com
&lt;path docMode="7"&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/docMode&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|--- |--- |--- |
|&lt;version&gt;|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.|Internet Explorer 11 and Microsoft Edge|
|&lt;exclude&gt;|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
|&lt;docMode&gt;|Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt;elements in the &lt;docMode&gt; section.<br> **Example**<pre class="syntax">&lt;docMode&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path docMode="7"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/docMode&gt;|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that &lt;emie&gt; entries override &lt;docMode&gt; entries for the same domain.

198
browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md
View File

@ -92,194 +92,32 @@ Make sure that you don't specify a protocol when adding your URLs. Using a URL l
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;site-list&gt;</td>
<td>A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;.
<p><b>Example</b>
<pre class="syntax">
&lt;site-list version="205"&gt;
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;
&lt;/site-list&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;site&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;default&lt;/compat-mode&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:
<ul>
<li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li>
<li>&lt;open-in&gt;none&lt;/open-in&gt;</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;compat-mode&gt;</td>
<td>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
Where:
<ul>
<li><b>IE8Enterprise.</b> Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p>
<li><b>IE7Enterprise.</b> Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE7 Enterprise Mode.<p><b>Important</b><br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.</li><p>
<li><b>IE<i>[x]</i>.</b> Where <i>[x]</i> is the document mode number into which the site loads.</li><p>
<li><b>Default or not specified.</b> Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li>
</ul></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;open-in&gt;</td>
<td>A child element that controls what browser is used for sites. This element supports the <b>Open in IE11</b> or <b>Open in Microsoft Edge</b> experiences, for devices running Windows 10.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com"&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre><p>
Where:
<ul>
<li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.</li><p>
<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.</li><p>
<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;site-list&gt; |A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;. <br> **Example** <br> <pre class="syntax">&lt;site-list version="205"&gt;<br> &lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br> &lt;/site&gt;<br>&lt;/site-list&gt;</pre> | Internet Explorer 11 and Microsoft Edge |
|&lt;site&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element. <br> **Example** <pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;default&lt;/compat-mode&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt;<br>&lt;/site&gt;</pre> <br> **or** For IPv4 ranges: <br> <pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:<ul><li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li><li>&lt;open-in&gt;none&lt;/open-in&gt;</li>| Internet Explorer 11 and Microsoft Edge |
|&lt;compat-mode&gt; |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. <br> **Example** <pre class="syntax"><br>&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre> **or** <br> For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> Where<ul><li>**IE8Enterprise.** Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p><li>**IE7Enterprise.** Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode<p>**Important**<br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.<li>**IE<i>[x]</i>**. Where <i>[x]</i> is the document mode number into which the site loads.<li>**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li> |Internet Explorer 11 |
|&lt;open-in&gt; |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.<br> **Examples**<pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt; <br>&lt;/site&gt;</pre><p> <br> Where<ul><li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li> | Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The &lt;url&gt; attribute, as part of the &lt;site&gt; element in the v.2 version of the schema, replaces the &lt;domain&gt; element from the v.1 version of the schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>allow-redirect</td>
<td>A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com/travel"&gt;
&lt;open-in allow-redirect="true"&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>url</td>
<td>Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<br><b>Note</b><br>
Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both https://contoso.com and https://contoso.com.
<p><b>Example</b>
<pre class="syntax">
&lt;site url="contoso.com:8080"&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|---------|---------|---------|
|allow-redirect|A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt; </pre> In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</li>| Internet Explorer 11 and Microsoft Edge|
|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
<table>
<thead>
<tr class="header">
<th>Deprecated attribute</th>
<th>New attribute</th>
<th>Replacement example</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;forceCompatView&gt;</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace &lt;forceCompatView="true"&gt; with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>&lt;doNotTransition&gt;</td>
<td>&lt;open-in&gt;</td>
<td>Replace &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;</td>
</tr>
<tr>
<td>&lt;domain&gt; and &lt;path&gt;</td>
<td>&lt;site&gt;</td>
<td>Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="false"&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url="contoso.com"/&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<b>-AND-</b><p>
Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude="true"&gt;contoso.com
&lt;path exclude="false" forceCompatView="true"&gt;/about&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url="contoso.com/about"&gt;
&lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre></td>
</tr>
</table>
|Deprecated attribute|New attribute|Replacement example|
|--- |--- |--- |
|&lt;forceCompatView&gt;|&lt;compat-mode>|Replace &lt;forceCompatView="true"> with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode>|
|&lt;docMode&gt;|&lt;compat-mode&gt;|Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;|
|&lt;doNotTransition&gt;|&lt;open-in&gt;|Replace:<br> &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;|
|&lt;domain&gt; and &lt;path&gt;|&lt;site&gt;|Replace:<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;contoso.com&lt;/domain&gt;<br>&lt;/emie&gt;</pre>With:<pre class="syntax">&lt;site url="contoso.com"/&gt; <br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre>**-AND-** <br>Replace:<pre class="syntax">&lt;emie&gt; <br> &lt;domain exclude="true"&gt;contoso.com <br> &lt;path exclude="false" forceCompatView="true"&gt;/about&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><br> With:<pre class="syntax">&lt;site url="contoso.com/about"&gt;<br> &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We dont recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.

100
browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
View File

@ -63,17 +63,17 @@ Data is collected on the configuration characteristics of IE and the sites it br
|Data point |IE11 |IE10 |IE9 |IE8 |Description |
|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------|
|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. |
|Domain | X | X | X | X |Top-level domain of the browsed site. |
|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. |
|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. |
|Document mode reason | X | X | | |The reason why a document mode was set by IE. |
|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. |
|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. |
|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. |
|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
|Number of visits | X | X | X | X |Number of times a site has been visited. |
|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. |
|URL | ✔️ | ✔️ | ✔️ | ✔️ |URL of the browsed site, including any parameters included in the URL. |
|Domain | ✔️ | ✔️ | ✔️ | ✔️ |Top-level domain of the browsed site. |
|ActiveX GUID | ✔️ | ✔️ | ✔️ | ✔️ |GUID of the ActiveX controls loaded by the site. |
|Document mode | ✔️ | ✔️ | ✔️ | ✔️ |Document mode used by IE for a site, based on page characteristics. |
|Document mode reason | ✔️ | ✔️ | | |The reason why a document mode was set by IE. |
|Browser state reason | ✔️ | ✔️ | | |Additional information about why the browser is in its current state. Also called, browser mode. |
|Hang count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser hung. |
|Crash count | ✔️ | ✔️ | ✔️ | ✔️ |Number of visits to the URL when the browser crashed. |
|Most recent navigation failure (and count) | ✔️ | ✔️ | ✔️ | ✔️ |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. |
|Number of visits | ✔️ | ✔️ | ✔️ | ✔️ |Number of times a site has been visited. |
|Zone | ✔️ | ✔️ | ✔️ | ✔️ |Zone used by IE to browse sites, based on browser settings. |
>**Important**<br>By default, IE doesnt collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so theres no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements.
@ -205,68 +205,32 @@ You can use Group Policy to finish setting up Enterprise Site Discovery. If you
You can use both the WMI and XML settings individually or together:
**To turn off Enterprise Site Discovery**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|Off|
|Turn on Site Discovery XML output|Blank|
**Turn on WMI recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>Blank</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|On|
|Turn on Site Discovery XML output|Blank|
**To turn on XML recording only**
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>Off</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|Off|
|Turn on Site Discovery XML output|XML file path|
<strong>To turn on both WMI and XML recording</strong>
<table>
<tr>
<th>Setting name</th>
<th>Option</th>
</tr>
<tr>
<td>Turn on Site Discovery WMI output</td>
<td>On</td>
</tr>
<tr>
<td>Turn on Site Discovery XML output</td>
<td>XML file path</td>
</tr>
</table>
**To turn on both WMI and XML recording**
|Setting name|Option|
|--- |--- |
|Turn on Site Discovery WMI output|On|
|Turn on Site Discovery XML output|XML file path|
## Use Configuration Manager to collect your data
After youve collected your data, youll need to get the local files off of your employees computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options:

166
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
View File

@ -65,162 +65,24 @@ The following is an example of the Enterprise Mode schema v.1. This schema can r
### Schema elements
This table includes the elements used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;rules&gt;</td>
<td>Root node for the schema.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;emie&gt;</td>
<td>The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;rules version=&quot;205&quot;&gt;
&lt;emie&gt;
&lt;domain&gt;10.122.34.99:8080&lt;/domain&gt;
&lt;/emie&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;docMode&gt;</td>
<td>The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there&#39;s a &lt;domain&gt; element in the &lt;docMode&gt; section that uses the same value as a &lt;domain&gt; element in the &lt;emie&gt; section, the &lt;emie&gt; element is applied.
<p><b>Example</b>
<pre class="syntax">
&lt;rules version=&quot;205&quot;&gt;
&lt;docMode&gt;
&lt;domain docMode=&quot;7&quot;&gt;contoso.com&lt;/domain&gt;
&lt;/docMode&gt;
&lt;/rules&gt;</pre></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;domain&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com:8080&lt;/domain&gt;
&lt;/emie&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;path&gt;</td>
<td>A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.
<p><b>Example</b>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot;&gt;fabrikam.com
&lt;path exclude=&quot;false&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> doesn&#39;t use IE8 Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> does.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;rules&gt; | Root node for the schema.<br>**Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br> &lt;/rules&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;emie&gt; |The parent node for the Enterprise Mode section of the schema. All &lt;domain&gt; entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied. <br> **Example** <pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;contoso.com&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; <br> </pre><p> **or** <br> For IPv6 ranges: <pre class="syntax"><br>&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; </pre><p> <br> **or**<br> For IPv4 ranges:<pre class="syntax">&lt;rules version="205"&gt; <br> &lt;emie&gt; <br> &lt;domain&gt;[10.122.34.99]:8080&lt;/domain&gt; <br> &lt;/emie&gt;<br>&lt;/rules&gt; | Internet Explorer 11 and Microsoft Edge |
|&lt;docMode&gt; |The parent node for the document mode section of the section. All &lt;domain&gt; entries will get IE5 - IE11 document modes applied. If there's a &lt;domain&gt; element in the docMode section that uses the same value as a &lt;domain&gt; element in the emie section, the emie element is applied. <br> **Example** <pre class="syntax"> <br/>&lt;rules version="205"&gt; <br> &lt;docmode&gt; <br> &lt;domain docMode="7"&gt;contoso.com&lt;/domain&gt; <br> &lt;/docmode&gt;<br>&lt;/rules&gt; |Internet Explorer 11 |
|&lt;domain&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;domain&gt; element will overrule any additional &lt;domain&gt; elements that use the same value for the section. You can use port numbers for this element. <br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain&gt;contoso.com:8080&lt;/domain&gt;<br>&lt;/emie&gt; |Internet Explorer 11 and Microsoft Edge |
|&lt;path&gt; |A unique entry added for each path under a domain you want to put on the Enterprise Mode site list. The &lt;path&gt; element is a child of the &lt;domain&gt; element. Additionally, the first &lt;path&gt; element will overrule any additional &lt;path&gt; elements in the schema section.<br> **Example** <pre class="syntax"> <br/>&lt;emie&gt; <br> &lt;domain exclude="true"&gt;fabrikam.com <br> &lt;path exclude="false"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p> <br> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does. |Internet Explorer 11 and Microsoft Edge |
### Schema attributes
This table includes the attributes used by the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>exclude</td>
<td>Specifies the domain or path excluded from applying Enterprise Mode. This attribute is only supported on the &lt;domain&gt; and &lt;path&gt; elements in the &lt;emie&gt; section. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;false&quot;&gt;fabrikam.com
&lt;path exclude=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> uses IE8 Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> does not.</p></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>docMode</td>
<td>Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;docMode&gt; section.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;docMode&gt;
&lt;domain&gt;fabrikam.com
&lt;path docMode=&quot;9&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/docMode&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> loads in IE11 document mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> uses IE9 document mode.</p></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>doNotTransition</td>
<td>Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com
&lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> opens in the IE11 browser, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> loads in the current browser (eg. Microsoft Edge).</p></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>forceCompatView</td>
<td>Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false.
<br />
<p><b>Example:</b></p>
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot;&gt;fabrikam.com
&lt;path forceCompatView=&quot;true&quot;&gt;/products&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre><p>
Where <a href="https://fabrikam.com" data-raw-source="https://fabrikam.com">https://fabrikam.com</a> does not use Enterprise Mode, but <a href="https://fabrikam.com/products" data-raw-source="https://fabrikam.com/products">https://fabrikam.com/products</a> uses IE7 Enterprise Mode.</p></td>
<td>Internet Explorer 11</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|--- |--- |--- |
|version|Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;rules&gt; element.|Internet Explorer 11 and Microsoft Edge|
|exclude|Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the &lt;domain&gt; and &lt;path&gt; elements.<br> **Example** <pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path exclude="true"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt; </pre><p> Where [https://fabrikam.com](https://fabrikam.com) doesn't use IE8 Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) does.|Internet Explorer 11 and Microsoft Edge|
|docMode|Specifies the document mode to apply. This attribute is only supported on &lt;domain&gt; or &lt;path&gt;elements in the &lt;docMode&gt; section.<br> **Example**<pre class="syntax">&lt;docMode&gt; <br> &lt;domain exclude="false"&gt;fabrikam.com <br> &lt;path docMode="9"&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/docMode&gt;|Internet Explorer 11|
|doNotTransition| Specifies that the page should load in the current browser, otherwise it will open in IE11. This attribute is supported on all &lt;domain&gt; or &lt;path&gt; elements. If this attribute is absent, it defaults to false.<br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain doNotTransition=&quot;false&quot;&gt;fabrikam.com <br> &lt;path doNotTransition=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) opens in the IE11 browser, but [https://fabrikam.com/products](https://fabrikam.com/products) loads in the current browser (eg. Microsoft Edge)|Internet Explorer 11 and Microsoft Edge|
|forceCompatView|Specifies that the page should load in IE7 document mode (Compat View). This attribute is only supported on &lt;domain&gt; or &lt;path&gt; elements in the &lt;emie&gt; section. If the page is also configured to load in Enterprise Mode, it will load in IE7 Enterprise Mode. Otherwise (exclude=&quot;true&quot;), it will load in IE11's IE7 document mode. If this attribute is absent, it defaults to false. <br> **Example**<pre class="syntax">&lt;emie&gt;<br> &lt;domain exclude=&quot;true&quot;&gt;fabrikam.com <br> &lt;path forcecompatview=&quot;true&quot;&gt;/products&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><p>Where [https://fabrikam.com](https://fabrikam.com) does not use Enterprise Mode, but [https://fabrikam.com/products](https://fabrikam.com/products) uses IE7 Enterprise Mode.|Internet Explorer 11|
### Using Enterprise Mode and document mode together
If you want to use both Enterprise Mode and document mode together, you need to be aware that &lt;emie&gt; entries override &lt;docMode&gt; entries for the same domain.

200
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
View File

@ -97,197 +97,31 @@ The following is an example of the v.2 version of the Enterprise Mode schema.
### Updated schema elements
This table includes the elements used by the v.2 version of the Enterprise Mode schema.
<table>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>&lt;site-list&gt;</td>
<td>A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;.
<p><b>Example</b>
<pre class="syntax">
&lt;site-list version=&quot;205&quot;&gt;
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;
&lt;/site-list&gt;</pre></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;site&gt;</td>
<td>A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;default&lt;/compat-mode&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url=&quot;10.122.34.99:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url=&quot;[10.122.34.99]:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
You can also use the self-closing version, &lt;url=&quot;contoso.com&quot; /&gt;, which also sets:
<ul>
<li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li>
<li>&lt;open-in&gt;none&lt;/open-in&gt;</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>&lt;compat-mode&gt;</td>
<td>A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;/site&gt;</pre>
<strong>-or-</strong>
<p>For IPv4 ranges:<pre class="syntax">&lt;site url=&quot;10.122.34.99:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
<strong>-or-</strong>
<p>For IPv6 ranges:<pre class="syntax">&lt;site url=&quot;[10.122.34.99]:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;site&gt;</pre><p>
Where:
<ul>
<li><b>IE8Enterprise.</b> Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p>
<li><b>IE7Enterprise.</b> Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the <b>EmIE</b> section of the v.1 schema and is needed to load in IE7 Enterprise Mode.<p><b>Important</b><br>This tag replaces the combination of the <code>&quot;forceCompatView&quot;=&quot;true&quot;</code> attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.</li><p>
<li><b>IE<i>[x]</i>.</b> Where <i>[x]</i> is the document mode number into which the site loads.</li><p>
<li><b>Default or not specified.</b> Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li>
</ul></td>
<td>Internet Explorer 11</td>
</tr>
<tr>
<td>&lt;open-in&gt;</td>
<td>A child element that controls what browser is used for sites. This element supports the <b>Open in IE11</b> or <b>Open in Microsoft Edge</b> experiences, for devices running Windows 10.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;&gt;
&lt;open-in&gt;none&lt;/open-in&gt;
&lt;/site&gt;</pre><p>
Where:
<ul>
<li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.</li><p>
<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.</li><p>
<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li>
</ul></td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Element |Description |Supported browser |
|---------|---------|---------|
|&lt;site-list&gt; |A new root node with this text is using the updated v.2 version of the schema. It replaces &lt;rules&gt;. <br> **Example** <br> <pre class="syntax">&lt;site-list version="205"&gt;<br> &lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br> &lt;/site&gt;<br>&lt;/site-list&gt;</pre> | Internet Explorer 11 and Microsoft Edge |
|&lt;site&gt; |A unique entry added for each site you want to put on the Enterprise Mode site list. The first &lt;site&gt; element will overrule any additional &lt;site&gt; elements that use the same value for the &lt;url&gt; element. <br> **Example** <pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;default&lt;/compat-mode&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt;<br>&lt;/site&gt;</pre> <br> **or** For IPv4 ranges: <br> <pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> <br> You can also use the self-closing version, &lt;url="contoso.com" /&gt;, which also sets:<ul><li>&lt;compat-mode&gt;default&lt;/compat-mode&gt;</li><li>&lt;open-in&gt;none&lt;/open-in&gt;</li>| Internet Explorer 11 and Microsoft Edge |
|&lt;compat-mode&gt; |A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11. <br> **Example** <pre class="syntax"><br>&lt;site url="contoso.com"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;/site&gt;</pre> **or** <br> For IPv4 ranges:<pre class="syntax">&lt;site url="10.122.34.99:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> **or** For IPv6 ranges:<pre class="syntax">&lt;site url="[10.122.34.99]:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br>&lt;site&gt;</pre><p> Where<ul><li>**IE8Enterprise.** Loads the site in IE8 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE8 Enterprise Mode.</li><p><li>**IE7Enterprise.** Loads the site in IE7 Enterprise Mode.<br>This element is required for sites included in the **EmIE** section of the v.1 schema and is needed to load in IE7 Enterprise Mode<p>**Important**<br>This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.<li>**IE<i>[x]</i>**. Where <i>[x]</i> is the document mode number into which the site loads.<li>**Default or not specified.** Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.</li> |Internet Explorer 11 |
|&lt;open-in&gt; |A child element that controls what browser is used for sites. This element supports the **Open in IE11** or **Open in Microsoft Edge** experiences, for devices running Windows 10.<br> **Examples**<pre class="syntax">&lt;site url="contoso.com"&gt;<br> &lt;open-in&gt;none&lt;/open-in&gt; <br>&lt;/site&gt;</pre><p> <br> Where<ul><li><b>IE11.</b> Opens the site in IE11, regardless of which browser is opened by the employee.<li><b>MSEdge.</b> Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.<li><b>None or not specified.</b> Opens in whatever browser the employee chooses.</li> | Internet Explorer 11 and Microsoft Edge |
### Updated schema attributes
The &lt;url&gt; attribute, as part of the &lt;site&gt; element in the v.2 version of the schema, replaces the &lt;domain&gt; element from the v.1 version of the schema.
<table>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Description</th>
<th>Supported browser</th>
</tr>
</thead>
<tbody>
<tr>
<td>allow-redirect</td>
<td>A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to &quot;true&quot; indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to &quot;false&quot; (sites in redirect chain will not open in another browser).
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com/travel&quot;&gt;
&lt;open-in allow-redirect=&quot;true&quot;&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, if <a href="https://contoso.com/travel" data-raw-source="https://contoso.com/travel">https://contoso.com/travel</a> is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>version</td>
<td>Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
<tr>
<td>url</td>
<td>Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
<br><b>Note</b><br>
Make sure that you don&#39;t specify a protocol. Using &lt;site url=&quot;contoso.com&quot;&gt; applies to both <a href="http://contoso.com" data-raw-source="http://contoso.com">http://contoso.com</a> and <a href="https://contoso.com" data-raw-source="https://contoso.com">https://contoso.com</a>.
<p><b>Example</b>
<pre class="syntax">
&lt;site url=&quot;contoso.com:8080&quot;&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
In this example, going to <a href="https://contoso.com:8080" data-raw-source="https://contoso.com:8080">https://contoso.com:8080</a> using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.</td>
<td>Internet Explorer 11 and Microsoft Edge</td>
</tr>
</table>
|Attribute|Description|Supported browser|
|---------|---------|---------|
|allow-redirect|A boolean attribute of the &lt;open-in&gt; element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).<br>**Example**<pre class="syntax">&lt;site url="contoso.com/travel"&gt;<br> &lt;open-in allow-redirect="true"&gt;IE11 &lt;/open-in&gt;<br>&lt;/site&gt;</pre> In this example, if [https://contoso.com/travel](https://contoso.com/travel) is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. <li>| Internet Explorer 11 and Microsoft Edge|
|version |Specifies the version of the Enterprise Mode Site List. This attribute is supported for the &lt;site-list&gt; element. | Internet Explorer 11 and Microsoft Edge|
|url|Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.<br> **Note**<br> Make sure that you don't specify a protocol. Using &lt;site url="contoso.com"&gt; applies to both [https://contoso.com](https://contoso.com) and [https://contoso.com](https://contoso.com). <br> **Example**<pre class="syntax">&lt;site url="contoso.com:8080"&gt;<br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt; <br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>In this example, going to [https://contoso.com:8080](https://contoso.com:8080) using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. | Internet Explorer 11 and Microsoft Edge|
### Deprecated attributes
These v.1 version schema attributes have been deprecated in the v.2 version of the schema:
<table>
<thead>
<tr class="header">
<th>Deprecated element/attribute</th>
<th>New element</th>
<th>Replacement example</th>
</tr>
</thead>
<tbody>
<tr>
<td>forceCompatView</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace forceCompatView=&quot;true&quot; with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>docMode</td>
<td>&lt;compat-mode&gt;</td>
<td>Replace docMode=&quot;IE5&quot; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;</td>
</tr>
<tr>
<td>doNotTransition</td>
<td>&lt;open-in&gt;</td>
<td>Replace doNotTransition=&quot;true&quot; with &lt;open-in&gt;none&lt;/open-in&gt;</td>
</tr>
<tr>
<td>&lt;domain&gt; and &lt;path&gt;</td>
<td>&lt;site&gt;</td>
<td>Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain&gt;contoso.com&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url=&quot;contoso.com&quot;/&gt;
&lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre>
<b>-AND-</b><p>
Replace:
<pre class="syntax">
&lt;emie&gt;
&lt;domain exclude=&quot;true&quot; doNotTransition=&quot;true&quot;&gt;
contoso.com
&lt;path forceCompatView=&quot;true&quot;&gt;/about&lt;/path&gt;
&lt;/domain&gt;
&lt;/emie&gt;</pre>
With:
<pre class="syntax">
&lt;site url=&quot;contoso.com/about&quot;&gt;
&lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;
&lt;open-in&gt;IE11&lt;/open-in&gt;
&lt;/site&gt;</pre></td>
</tr>
</table>
|Deprecated attribute|New attribute|Replacement example|
|--- |--- |--- |
|forceCompatView|&lt;compat-mode>|Replace &lt;forceCompatView="true"> with &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode>|
|docMode|&lt;compat-mode&gt;|Replace &lt;docMode="IE5"&gt; with &lt;compat-mode&gt;IE5&lt;/compat-mode&gt;|
|doNotTransition|&lt;open-in&gt;|Replace:<br> &lt;doNotTransition="true"&gt; with &lt;open-in&gt;none&lt;/open-in&gt;|
|&lt;domain&gt; and &lt;path&gt;|&lt;site&gt;|Replace:<pre class="syntax">&lt;emie&gt;<br> &lt;domain&gt;contoso.com&lt;/domain&gt;<br>&lt;/emie&gt;</pre>With:<pre class="syntax">&lt;site url="contoso.com"/&gt; <br> &lt;compat-mode&gt;IE8Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;</pre>**-AND-** <br>Replace:<pre class="syntax">&lt;emie&gt; <br> &lt;domain exclude="true" donotTransition="true"&gt;contoso.com <br> &lt;path forceCompatView="true"&gt;/about&lt;/path&gt;<br> &lt;/domain&gt;<br>&lt;/emie&gt;</pre><br> With:<pre class="syntax">&lt;site url="contoso.com/about"&gt;<br> &lt;compat-mode&gt;IE7Enterprise&lt;/compat-mode&gt;<br> &lt;open-in&gt;IE11&lt;/open-in&gt;<br>&lt;/site&gt;|
While the old, replaced attributes aren't supported in the v.2 version of the schema, they'll continue to work in the v.1 version of the schema. If, however, you're using the v.2 version of the schema and these attributes are still there, the v.2 version schema takes precedence. We dont recommend combining the two schemas, and instead recommend that you move to the v.2 version of the schema to take advantage of the new features.

12
education/includes/education-content-updates.md
View File

@ -2,6 +2,18 @@
## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 11/16/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 11/16/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 11/18/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 11/18/2021 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 11/18/2021 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
## Week of October 25, 2021

4
education/itadmins.yml
View File

@ -79,7 +79,7 @@ productDirectory:
- url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
text: Azure information protection deployment acceleration guide
- url: /cloud-app-security/getting-started-with-cloud-app-security
text: Microsoft Cloud app security
text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
text: Office 365 data loss prevention
- url: /microsoft-365/compliance/
@ -117,4 +117,4 @@ productDirectory:
- url: https://support.office.com/en-us/education
text: Education help center
- url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
text: Teacher training packs
text: Teacher training packs

450
education/windows/chromebook-migration-guide.md
View File

@ -126,96 +126,23 @@ Table 2 lists the settings in the Device Management node in the Google Admin Con
Table 2. Settings in the Device Management node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Section</th>
<th align="left">Settings</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Network</td>
<td align="left"><p>These settings configure the network connections for Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>Wi-Fi.</strong> Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.</p></li>
<li><p><strong>Ethernet.</strong> Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.</p></li>
<li><p><strong>VPN.</strong> Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.</p></li>
<li><p><strong>Certificates.</strong> Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Mobile</td>
<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>Device management settings.</strong> Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.</p></li>
<li><p><strong>Device activation.</strong> Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.</p></li>
<li><p><strong>Managed devices.</strong> Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.</p></li>
<li><p><strong>Set Up Apple Push Certificate.</strong> Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.</p></li>
<li><p><strong>Set Up Android for Work.</strong> Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Chrome management</td>
<td align="left"><p>These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:</p>
<ul>
<li><p><strong>User settings.</strong> Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
<li><p><strong>Public session settings.</strong> Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don&#39;t need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.</p></li>
<li><p><strong>Device settings.</strong> Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.</p></li>
<li><p><strong>Devices.</strong> Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.</p></li>
<li><p><strong>App Management.</strong> Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.</p></li>
</ul></td>
</tr>
</tbody>
</table>
|Section |Settings |
|---------|---------|
|Network | <p>These settings configure the network connections for Chromebook devices and include the following settings categories:<ul></p><li> **Wi-Fi.** Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.</p></li> <li>**Ethernet.** Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.</p><li>**VPN.** Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.</p><li>**Certificates.** Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.</p> |
|Mobile |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:<ul> <li>**Device management settings.** Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.<li>**Device activation.** Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.<li>**Managed devices.** Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.<li> **Set Up Apple Push Certificate.** Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider. <li>**Set Up Android for Work.** Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider. |
|Chrome management |These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:<ul> <li>**User settings.** Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.<li>**Public session settings.** Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don&#39;t need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.<li> **Device settings.** Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.<li>**Devices.** Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices <li>**App Management.** Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices. |
Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
Table 3. Settings in the Security node in the Google Admin Console
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Section</th>
<th align="left">Settings</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Basic settings</p></td>
<td align="left"><p>These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.</p>
<p>Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Password monitoring</p></td>
<td align="left"><p>This section is used to monitor the strength of user passwords. You dont need to migrate any settings in this section.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>API reference</p></td>
<td align="left"><p>This section is used to enable access to various Google Apps Administrative APIs. You dont need to migrate any settings in this section.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Set up single sign-on (SSO)</p></td>
<td align="left"><p>This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you dont need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Advanced settings</p></td>
<td align="left"><p>This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You dont need to migrate any settings in this section.</p></td>
</tr>
</tbody>
</table>
|Section|Settings|
|--- |--- |
|Basic settings|These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.<br> Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.|
|Password monitoring|This section is used to monitor the strength of user passwords. You dont need to migrate any settings in this section.|
|API reference|This section is used to enable access to various Google Apps Administrative APIs. You dont need to migrate any settings in this section.|
|Set up single sign-on (SSO)|This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you dont need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.|
|Advanced settings|This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You dont need to migrate any settings in this section.|
**Identify locally-configured settings to migrate**
@ -428,62 +355,14 @@ Table 5 is a decision matrix that helps you decide if you can use only on-premis
Table 5. Select on-premises AD DS, Azure AD, or hybrid
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">If you plan to...</th>
<th align="left">On-premises AD DS</th>
<th align="left">Azure AD</th>
<th align="left">Hybrid</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Use Office 365</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Use Intune for management</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
<tr class="odd">
<td align="left">Use Microsoft Endpoint Manager for management</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Use Group Policy for management</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="odd">
<td align="left">Have devices that are domain-joined</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
</tr>
</tbody>
</table>
|If you plan to...|On-premises AD DS|Azure AD|Hybrid|
|--- |--- |--- |--- |
|Use Office 365||✔️|✔️|
|Use Intune for management||✔️|✔️|
|Use Microsoft Endpoint Manager for management|✔️||✔️|
|Use Group Policy for management|✔️||✔️|
|Have devices that are domain-joined|✔️||✔️|
|Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joined||✔️|✔️|
### <a href="" id="plan-userdevapp-manage"></a>
@ -497,113 +376,17 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
Table 6. Device, user, and app management products and technologies
<table>
<colgroup>
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
<col width="14%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Desired feature</th>
<th align="left">Windows provisioning packages</th>
<th align="left">Group Policy</th>
<th align="left">Configuration Manager</th>
<th align="left">Intune</th>
<th align="left">MDT</th>
<th align="left">Windows Software Update Services</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Deploy operating system images</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Deploy apps during operating system deployment</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Deploy apps after operating system deployment</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Deploy software updates during operating system deployment</td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Deploy software updates after operating system deployment</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
</tr>
<tr class="even">
<td align="left">Support devices that are domain-joined</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Support devices that are not domain-joined</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left">Use on-premises resources</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left">X</td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left">Use cloud-based services</td>
<td align="left"></td>
<td align="left"></td>
<td align="left"></td>
<td align="left">X</td>
<td align="left"></td>
<td align="left"></td>
</tr>
</tbody>
</table>
|Desired feature|Windows provisioning packages|Group Policy|Configuration Manager|Intune|MDT|Windows Software Update Services|
|--- |--- |--- |--- |--- |--- |--- |
|Deploy operating system images|✔️||✔️||✔️||
|Deploy apps during operating system deployment|✔️||✔️||✔️||
|Deploy apps after operating system deployment|✔️|✔️|✔️||||
|Deploy software updates during operating system deployment|||✔️||✔️||
|Deploy software updates after operating system deployment|✔️|✔️|✔️|✔️||✔️|
|Support devices that are domain-joined|✔️|✔️|✔️|✔️|✔️||
|Support devices that are not domain-joined|✔️|||✔️|✔️||
|Use on-premises resources|✔️|✔️|✔️||✔️||
|Use cloud-based services||||✔️|||
You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
@ -665,35 +448,10 @@ It is important that you perform any network infrastructure remediation first be
Table 7. Network infrastructure products and technologies and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product or technology</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">DHCP</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10)" data-raw-source="[DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))">DHCP Deployment Guide</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">DNS</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10)" data-raw-source="[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))">Deploying Domain Name System (DNS)</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Product or technology|Resources|
|--- |--- |
|DHCP|<li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li> [DHCP Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd283051(v=ws.10))|
|DNS|<li>[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Deploying Domain Name System (DNS)](/previous-versions/windows/it-pro/windows-server-2003/cc780661(v=ws.10))|
If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
@ -707,37 +465,10 @@ In the [Plan for Active Directory services](#plan-adservices) section, you deter
Table 8. AD DS, Azure AD and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product or technology</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">AD DS</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)" data-raw-source="[Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11))">Core Network Guide</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11)" data-raw-source="[Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))">Active Directory Domain Services Overview</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Azure AD</td>
<td align="left"><ul>
<li><p><a href="/azure/active-directory/" data-raw-source="[Azure Active Directory documentation](/azure/active-directory/)">Azure Active Directory documentation</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690259" data-raw-source="[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)">Manage and support Azure Active Directory Premium</a></p></li>
<li><p><a href="/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100" data-raw-source="[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)">Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Product or technology|Resources|
|--- |--- |
|AD DS| <li> [Core Network Guide](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh911995(v=ws.11)) <li>[Active Directory Domain Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831484(v=ws.11))|
|Azure AD| <li> [Azure Active Directory documentation](/azure/active-directory/) <li>[Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259) <li>[Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100)|
If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -750,59 +481,13 @@ Table 9 lists the Microsoft management systems and the deployment resources for
Table 9. Management systems and deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Management system</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Windows provisioning packages</td>
<td align="left"><ul>
<li><p><a href="/windows/configuration/provisioning-packages/provisioning-create-package" data-raw-source="[Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)">Build and apply a provisioning package</a></p></li>
<li><p><a href="/windows/configuration/provisioning-packages/provisioning-install-icd" data-raw-source="[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)">Windows Imaging and Configuration Designer</a></p></li>
<li><p><a href="/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages" data-raw-source="[Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)">Step-By-Step: Building Windows 10 Provisioning Packages</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Group Policy</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)" data-raw-source="[Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11))">Core Network Companion Guide: Group Policy Deployment</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10)" data-raw-source="[Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))">Deploying Group Policy</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Configuration Manager</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)" data-raw-source="[Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10))">Site Administration for System Center 2012 Configuration Manager</a></p></li>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10)" data-raw-source="[Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))">Deploying Clients for System Center 2012 Configuration Manager</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Intune</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690262" data-raw-source="[Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)">Set up and manage devices with Microsoft Intune</a></p></li>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690263" data-raw-source="[Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)">Smoother Management Of Office 365 Deployments with Windows Intune</a></p></li>
<li><p><a href="/learn/?l=fCzIjVKy_6404984382" data-raw-source="[System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)">System Center 2012 R2 Configuration Manager &amp; Windows Intune</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">MDT</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=690324" data-raw-source="[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)">MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013</a></p></li>
<li><p><a href="/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key" data-raw-source="[Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)">Step-By-Step: Installing Windows 8.1 From A USB Key</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Management system|Resources|
|--- |--- |
|Windows provisioning packages| <li> [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package) <li>[Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) <li> [Step-By-Step: Building Windows 10 Provisioning Packages](/archive/blogs/canitpro/step-by-step-building-windows-10-provisioning-packages)|
|Group Policy|<li> [Core Network Companion Guide: Group Policy Deployment](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj899807(v=ws.11)) <li> [Deploying Group Policy](/previous-versions/windows/it-pro/windows-server-2003/cc737330(v=ws.10))"|
|Configuration Manager| <li> [Site Administration for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg681983(v=technet.10)) <li> [Deploying Clients for System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699391(v=technet.10))|
|Intune| <li> [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262) <li> [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263) <li> [System Center 2012 R2 Configuration Manager &amp;amp; Windows Intune](/learn/?l=fCzIjVKy_6404984382)|
|MDT| <li>[MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) <li> [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)|
If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
@ -815,44 +500,11 @@ In this step, you need to configure your management system to deploy the apps to
Table 10. Management systems and app deployment resources
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Management system</th>
<th align="left">Resources</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Group Policy</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)" data-raw-source="[Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))">Editing an AppLocker Policy</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)" data-raw-source="[Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10))">Group Policy Software Deployment Background</a></p></li>
<li><p><a href="/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10)" data-raw-source="[Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))">Assigning and Publishing Software</a></p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left">Configuration Manager</td>
<td align="left"><ul>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)" data-raw-source="[How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10))">How to Deploy Applications in Configuration Manager</a></p></li>
<li><p><a href="/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10)" data-raw-source="[Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))">Application Management in Configuration Manager</a></p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left">Intune</td>
<td align="left"><ul>
<li><p><a href="https://go.microsoft.com/fwlink/p/?LinkId=733913" data-raw-source="[Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)">Deploy apps to mobile devices in Microsoft Intune</a></p></li>
<li><p><a href="/mem/intune/" data-raw-source="[Manage apps with Microsoft Intune](/mem/intune/)">Manage apps with Microsoft Intune</a></p></li>
</ul></td>
</tr>
</tbody>
</table>
|Management system|Resources|
|--- |--- |
|Group Policy| <li> [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) <li> [Group Policy Software Deployment Background](/previous-versions/windows/it-pro/windows-server-2003/cc739305(v=ws.10)) <li> [Assigning and Publishing Software](/previous-versions/windows/it-pro/windows-server-2003/cc783635(v=ws.10))|
|Configuration Manager| <li> [How to Deploy Applications in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682082(v=technet.10)) <li> [Application Management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699373(v=technet.10))|
|Intune| <li> [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913) <li> [Manage apps with Microsoft Intune](/mem/intune/)|
If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.

785
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -83,7 +83,7 @@ This district configuration has the following characteristics:
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Use [Intune](/intune/), [Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/set-up), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@ -128,7 +128,7 @@ Office 365 Education allows:
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
### How to configure a district
@ -225,80 +225,10 @@ Use the cloud-centric scenario and on-premises and cloud scenario as a guide for
To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">MDT</td>
<td><p>MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.)</li>
<li>Dont have an existing AD DS infrastructure.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage device drivers during initial deployment.</li>
<li>You can deploy Windows desktop apps (during initial deployment)</li>
<li>It doesnt require an AD DS infrastructure.</li>
<li>It doesnt have additional infrastructure requirements.</li>
<li>MDT doesnt incur additional cost: its a free tool.</li>
<li>You can deploy Windows 10 operating systems to institution-owned and personal devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Cant manage applications throughout entire application life cycle (by itself).</li>
<li>Cant manage software updates for Windows 10 and apps (by itself).</li>
<li>Doesnt provide antivirus and malware protection (by itself).</li>
<li>Has limited scaling to large numbers of users and devices.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Microsoft Endpoint Configuration Manager</td>
<td><p>Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle. You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
<li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure).</li>
<li>Typically deploy Windows 10 to on-premises devices.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.</li>
<li>You can manage software updates for Windows 10 and apps.</li>
<li>You can manage antivirus and malware protection.</li>
<li>It scales to large number of users and devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Method|Description|
|--- |--- |
|MDT|MDT is an on-premises solution that supports initial operating system deployment and upgrade. You can use MDT to deploy and upgrade Windows 10. In addition, you can initially deploy Windows desktop and Microsoft Store apps and software updates.<br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned and personal devices. (Devices need not be domain joined.) <li> Dont have an existing AD DS infrastructure. <li> Need to manage devices regardless of where they are (on or off premises). <br>The advantages of this method are that: <br> <li> You can deploy Windows 10 operating systems <li> You can manage device drivers during initial deployment. <li>You can deploy Windows desktop apps (during initial deployment)<li> It doesnt require an AD DS infrastructure.<li>It doesnt have additional infrastructure requirements.<li>MDT doesnt incur additional cost: its a free tool.<li>You can deploy Windows 10 operating systems to institution-owned and personal devices. <br> The disadvantages of this method are that it:<br> <li>Cant manage applications throughout entire application life cycle (by itself).<li>Cant manage software updates for Windows 10 and apps (by itself).<li>Doesnt provide antivirus and malware protection (by itself).<li>Has limited scaling to large numbers of users and devices.|
|Microsoft Endpoint Configuration Manager|<li> Configuration Manager is an on-premises solution that supports operating system management throughout the entire operating system life cycle <li>You can use Configuration Manager to deploy and upgrade Windows 10. In addition, you can manage Windows desktop and Microsoft Store apps and software updates as well as provide antivirus and antimalware protection. <br> Select this method when you: <li> Want to deploy Windows 10 to institution-owned devices that are domain joined (personal devices are typically not domain joined). <li>Have an existing AD DS infrastructure (or plan to deploy an AD DS infrastructure). <li>Typically deploy Windows 10 to on-premises devices. <br> The advantages of this method are that: <li>You can deploy Windows 10 operating systems.<li>You can manage (deploy) Windows desktop and Microsoft Store apps throughout entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large number of users and devices. <br>The disadvantages of this method are that it:<li>Carries an additional cost for Microsoft Endpoint Manager server licenses (if the institution does not have Configuration Manager already).<li>Can deploy Windows 10 only to domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 2. Deployment methods*
@ -317,81 +247,10 @@ If you have only one device to configure, manually configuring that one device i
For a district, there are many ways to manage the configuration setting for users and devices. Table 4 lists the methods that this guide describes and recommends. Use this information to determine which combination of configuration setting management methods is right for your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Group Policy</td>
<td><p>Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).</li>
<li>Want more granular control of device and user settings.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Typically manage on-premises devices.</li>
<li>Can manage a required setting only by using Group Policy.</li>
</ul>
<p>The advantages of this method include:</p>
<ul>
<li>No cost beyond the AD DS infrastructure.</li>
<li>A larger number of settings (compared to Intune).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Can only manage domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).</li>
<li>Has rudimentary app management capabilities.</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Intune</td>
<td><p>Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br/><br/>
Select this method when you:</p>
<ul>
<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
<li>Dont need granular control over device and user settings (compared to Group Policy).</li>
<li>Dont have an existing AD DS infrastructure.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
<li>Want to provide application management for the entire application life cycle.</li>
<li>Can manage a required setting only by using Intune.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can manage institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It doesnt require any on-premises infrastructure.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Doesnt offer granular control over device and user settings (compared to Group Policy).</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Method|Description|
|--- |--- |
|Group Policy|Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. <br> Select this method when you <li>Want to manage institution-owned devices that are domain joined (personal devices are typically not domain joined).<li> Want more granular control of device and user settings. <li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Can manage a required setting only by using Group Policy. <br>The advantages of this method include: <li>No cost beyond the AD DS infrastructure. <li>A larger number of settings (compared to Intune).<br>The disadvantages of this method are that it:<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).<li>Typically manages on-premises devices (unless devices use a virtual private network [VPN] or Microsoft DirectAccess to connect).<li> Has rudimentary app management capabilities.<li> Cannot deploy Windows 10 operating systems.|
|Intune|Intune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Intune is the cloud-based management system described in this guide, but you can use other MDM providers. If you use an MDM provider other than Intune, integration with Configuration Manager is unavailable.<br>Select this method when you:<li> Want to manage institution-owned and personal devices (does not require that the device be domain joined).<li>Dont need granular control over device and user settings (compared to Group Policy).<li>Dont have an existing AD DS infrastructure.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<li>Can manage a required setting only by using Intune.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It doesnt require any on-premises infrastructure.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Intune subscription licenses.<li>Doesnt offer granular control over device and user settings (compared to Group Policy).<li>Cannot deploy Windows 10 operating systems.|
*Table 4. Configuration setting management methods*
@ -410,114 +269,11 @@ For a district, there are many ways to manage apps and software updates. Table 6
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Selection</th>
<th align="left">Management method</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Microsoft Endpoint Configuration Manager</td>
<td><p>Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.<br/><br/>Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications.<br/><br/>Select this method when you:</p>
<ul>
<li>Selected Configuration Manager to deploy Windows 10.</li>
<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).</li>
<li>Want to manage AD DS domain-joined devices.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Typically manage on-premises devices.</li>
<li>Want to deploy operating systems.</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy Windows 10 operating systems.</li>
<li>You can manage applications throughout the entire application life cycle.</li>
<li>You can manage software updates for Windows 10 and apps.</li>
<li>You can manage antivirus and malware protection.</li>
<li>It scales to large numbers of users and devices.</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
<li>Can only manage domain-joined (institution-owned devices).</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Intune</td>
<td><p>Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br/><br/>
Select this method when you:</p>
<ul>
<li>Selected MDT only to deploy Windows 10.</li>
<li>Want to manage institution-owned and personal devices that are not domain joined.</li>
<li>Want to manage Azure AD domain-joined devices.</li>
<li>Need to manage devices regardless of where they are (on or off premises).</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can manage institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It doesnt require on-premises infrastructure.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Cannot deploy Windows 10 operating systems.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">Microsoft Endpoint Manager and Intune (hybrid)</td>
<td><p>Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br/><br/>
Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.<br/><br/>
Select this method when you:</p>
<ul>
<li>Selected Microsoft Endpoint Manager to deploy Windows 10.</li>
<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).</li>
<li>Want to manage domain-joined devices.</li>
<li>Want to manage Azure AD domain-joined devices.</li>
<li>Have an existing AD DS infrastructure.</li>
<li>Want to manage devices regardless of their connectivity.</li>
<li>Want to deploy operating systems.</li>
<li>Want to provide application management for the entire application life cycle.</li>
</ul>
<p>The advantages of this method are that:</p>
<ul>
<li>You can deploy operating systems.</li>
<li>You can manage applications throughout the entire application life cycle.</li>
<li>You can scale to large numbers of users and devices.</li>
<li>You can support institution-owned and personal devices.</li>
<li>It doesnt require that devices be domain joined.</li>
<li>It can manage devices regardless of their location (on or off premises).</li>
</ul>
<p>The disadvantages of this method are that it:</p>
<ul>
<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).</li>
<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.</li>
<li>Carries an additional cost for Intune subscription licenses.</li>
<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).</li>
</ul>
</td>
</tr>
</tbody>
</table>
|Selection|Management method|
|--- |--- |
|Microsoft Endpoint Configuration Manager|Configuration Manager is an on-premises solution that allows you to specify configuration settings for Windows 10; previous versions of Windows; and other operating systems, such as iOS or Android, through integration with Intune.Configuration Manager supports application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager. You can also manage Windows desktop and Microsoft Store applications. Select this method when you:<li>Selected Configuration Manager to deploy Windows 10.<li>Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).<li>Want to manage AD DS domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Typically manage on-premises devices.<li>Want to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy Windows 10 operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can manage software updates for Windows 10 and apps.<li>You can manage antivirus and malware protection.<li>It scales to large numbers of users and devices.<br>The disadvantages of this method are that it:<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.<li>Can only manage domain-joined (institution-owned devices).<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).<li>Typically manages on-premises devices (unless devices through VPN or DirectAccess).|
|Intune|Intune is a cloud-based solution that allows you to manage apps and software updates for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD.<br>Select this method when you:<li>Selected MDT only to deploy Windows 10.<li>Want to manage institution-owned and personal devices that are not domain joined.<li>Want to manage Azure AD domain-joined devices.<li>Need to manage devices regardless of where they are (on or off premises).<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can manage institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It doesnt require on-premises infrastructure.vIt can manage devices regardless of their location (on or off premises).<li>You can deploy keys to perform in-place Windows 10 upgrades (such as upgrading from Windows 10 Pro to Windows 10 Education edition).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Intune subscription licenses.<li>Cannot deploy Windows 10 operating systems.|
|Microsoft Endpoint Manager and Intune (hybrid)|Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.<br>Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices. <br>Select this method when you:<li>Selected Microsoft Endpoint Manager to deploy Windows 10.<li>Want to manage institution-owned and personal devices (does not require that the device be domain joined).<li>Want to manage domain-joined devices.<li>Want to manage Azure AD domain-joined devices.<li>Have an existing AD DS infrastructure.<li>Want to manage devices regardless of their connectivity.vWant to deploy operating systems.<li>Want to provide application management for the entire application life cycle.<br>The advantages of this method are that:<li>You can deploy operating systems.<li>You can manage applications throughout the entire application life cycle.<li>You can scale to large numbers of users and devices.<li>You can support institution-owned and personal devices.<li>It doesnt require that devices be domain joined.<li>It can manage devices regardless of their location (on or off premises).<br>The disadvantages of this method are that it:<li>Carries an additional cost for Configuration Manager server licenses (if the institution does not have Configuration Manager already).<li>Carries an additional cost for Windows Server licenses and the corresponding server hardware.<li>Carries an additional cost for Intune subscription licenses.<li>Requires an AD DS infrastructure (if the institution does not have AD DS already).|
*Table 6. App and update management products*
@ -683,7 +439,7 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up FAQ](/microsoft-365/education/deploy/office-365-education-self-sign-up).
Office 365 uses the domain portion of the users email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@ -695,7 +451,7 @@ You will always want faculty and students to join the Office 365 tenant that you
> [!NOTE]
> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@ -714,7 +470,7 @@ To reduce your administrative effort, automatically assign Office 365 Education
> [!NOTE]
> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](/microsoft-365/education/deploy/office-365-education-self-sign-up).
|Action |Windows PowerShell command|
|-------|--------------------------|
@ -887,7 +643,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|-------|---------------------------------------------|
|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
*Table 12. AD DS bulk-import account methods*
@ -935,7 +691,7 @@ You can use the Microsoft 365 admin center to add individual Office 365 accounts
The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 9. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts.
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Microsoft 365](/microsoft-365/enterprise/add-several-users-at-the-same-time).
> [!NOTE]
> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
@ -949,7 +705,7 @@ Assign SharePoint Online resource permissions to Office 365 security groups, not
> [!NOTE]
> If your institution has AD DS, dont create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
For information about creating security groups, see [Create an Office 365 Group in the admin center](/microsoft-365/admin/create-groups/create-groups).
You can add and remove users from security groups at any time.
@ -966,7 +722,7 @@ You can create email distribution groups based on job role (such as teacher, adm
> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
For information about creating email distribution groups, see [Create a Microsoft 365 group in the admin center](/microsoft-365/admin/create-groups/create-groups).
#### Summary
@ -1083,63 +839,11 @@ This guide discusses thick image deployment. For information about thin image de
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Method</th>
<th align="left">Description and reason to select this method</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Windows Deployment Services</td>
<td><p>This method:</p>
<ul>
<li>Uses diskless booting to initiate LTI and ZTI deployments.</li>
<li>Works only with devices that support PXE boot.</li>
<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
<li>Deploys images more slowly than when you use local media.</li>
<li>Requires that you deploy a Windows Deployment Services server.</li>
</ul>
<br/>Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
</td>
</tr>
<tr>
<td valign="top">Bootable media</td>
<td><p>This method:</p>
<ul>
<li>Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.</li>
<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.</li>
<li>Deploys images more slowly than when using local media.</li>
<li>Requires no additional infrastructure.</li>
</ul>
<br/>Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
</td>
</tr>
<tr>
<td valign="top">Deployment media</td>
<td><p>This method:</p>
<ul>
<li>Initiates LTI or ZTI deployment by booting from a local USB hard disk.</li>
<li>Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.</li>
<li>Deploys images more quickly than network-based methods do.</li>
<li>Requires a USB hard disk because of the deployment shares storage requirements (up to 100 GB).</li>
</ul>
<br/>Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
</td>
</tr>
</tbody>
</table>
|Method|Description and reason to select this method|
|--- |--- |
|Windows Deployment Services|This method:<li>Uses diskless booting to initiate LTI and ZTI deployments.<li>Works only with devices that support PXE boot.<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.<li>Deploys images more slowly than when you use local media.<li>Requires that you deploy a Windows Deployment Services server.<br><br>Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.|
|Bootable media|This method:<li>Initiates LTI or ZTI deployment by booting from local media, including from USB drives, DVD, or CD.<li>Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.<li>Deploys images more slowly than when using local media.<li>Requires no additional infrastructure.<br> <br>Select this method when you want to deploy Windows over the network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically dont require updates after you create them (LTI and ZTI access the centrally located deployment content over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.|
|Deployment media|This method:<li>Initiates LTI or ZTI deployment by booting from a local USB hard disk.<li>Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.<li>Deploys images more quickly than network-based methods do.<li>Requires a USB hard disk because of the deployment shares storage requirements (up to 100 GB).<br> <br>Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share or distribution point content, you must regenerate the deployment media and update the USB hard disk.
*Table 15. Methods to initiate LTI and ZTI deployments*
@ -1154,91 +858,14 @@ Before you can deploy Windows 10 and your apps to devices, you need to prepare y
The first step in preparing for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 16 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 16.
<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">1. Import operating systems</td>
<td>Import the operating systems that you selected in the <a href="#select-the-operating-systems" data-raw-source="[Select the operating systems](#select-the-operating-systems)">Select the operating systems</a> section into the deployment share. For more information about how to import operating systems, see <a href="/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench" data-raw-source="[Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench)">Import an Operating System into the Deployment Workbench</a>.</td>
</tr>
<tr>
<td valign="top">2. Import device drivers</td>
<td>Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/>
Import device drivers for each device in your institution. For more information about how to import device drivers, see <a href="/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench" data-raw-source="[Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)">Import Device Drivers into the Deployment Workbench</a>.
</td>
</tr>
<tr>
<td valign="top">3. Create MDT applications for Microsoft Store apps</td>
<td>Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using <i>sideloading</i>, which allows you to use the <strong>Add-AppxPackage</strong> Windows PowerShell cmdlet to deploy the .appx files associated with the app (called <em>provisioned apps</em>). Use this method to deploy up to 24 apps to Windows 10.<br/><br/>
<p>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:</p>
<ul>
<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.</li>
<li>For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.</li>
</ul>
<br/>If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br/><br/>
If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> and <a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a> sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br/><br/>
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<br/><br/>
<ul>
<li>Prepare your environment for sideloading, see <a href="/previous-versions/windows/" data-raw-source="[Try it out: sideload Microsoft Store apps](/previous-versions/windows/)">Try it out: sideload Microsoft Store apps</a>.</li>
<li>Create an MDT application, see <a href="/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench" data-raw-source="[Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench)">Create a New Application in the Deployment Workbench</a>.</li>
</ul>
</td>
</tr>
<tr>
<td valign="top">4. Create MDT applications for Windows desktop apps</td>
<td>You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>
To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in <a href="/deployoffice/deploy-microsoft-365-apps-local-source" data-raw-source="[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source)">Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool</a>.<br/><br/>
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
<br/><br/>
<strong>Note</strong>&nbsp;&nbsp;You can also deploy Windows desktop apps after you deploy Windows 10, as described in the <a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a> section.
For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
</td>
</tr>
<tr>
<td valign="top">5. Create task sequences</td>
<td><p>You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:</p>
<ul>
<li>Deploy 64-bit Windows 10 Education to devices.</li>
<li>Deploy 32-bit Windows 10 Education to devices.</li>
<li>Upgrade existing devices to 64-bit Windows 10 Education.</li>
<li>Upgrade existing devices to 32-bit Windows 10 Education.</li>
</ul>
<br/>Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see <a href="/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench" data-raw-source="[Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench)">Create a New Task Sequence in the Deployment Workbench</a>.
</td>
</tr>
<tr>
<td valign="top">6. Update the deployment share</td>
<td>Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/>
For more information about how to update a deployment share, see <a href="/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench" data-raw-source="[Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench)">Update a Deployment Share in the Deployment Workbench</a>.
</td>
</tr>
</tbody>
</table>
|Task|Description|
|--- |--- |
|1. Import operating systems|Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|2. Import device drivers|Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br>Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench)|
|3. Create MDT applications for Microsoft Store apps|Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.<br>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:<li>For offline-licensed apps, download the .appx files from the Microsoft Store for Business.<li>For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.<br> <br> If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br>If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager). This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br>In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:<li>Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](/previous-versions/windows/).<li>Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).|
|4. Create MDT applications for Windows desktop apps|You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in[Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source).<br> If you have Intune, you can [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune), as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps.<br>This is the preferred method for deploying and managing Windows desktop apps.<br>**Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) <br>For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).|
|5. Create task sequences|You must create separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education, (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education, or (3) if you want to run deployments and upgrades for both 32-bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:<li>Deploy 64-bit Windows 10 Education to devices.<li>Deploy 32-bit Windows 10 Education to devices.<li>Upgrade existing devices to 64-bit Windows 10 Education.<li>Upgrade existing devices to 32-bit Windows 10 Education.<br> <br>Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).|
|6. Update the deployment share|Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br>For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
*Table 16. Tasks to configure the MDT deployment share*
@ -1276,7 +903,7 @@ Deploying a new Configuration Manager infrastructure is beyond the scope of this
Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
### Configure Window Deployment Services for MDT
### Configure Windows Deployment Services for MDT
You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target devices. These boot images can be Windows PE images (which you generated in step 6 in Table 16) or custom images that can deploy operating systems directly to the target devices.
@ -1298,7 +925,7 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
### Configure Window Deployment Services for Microsoft Endpoint Configuration Manager
### Configure Windows Deployment Services for Microsoft Endpoint Configuration Manager
> [!NOTE]
> If you have already configured your Microsoft Endpoint Manager infrastructure to support PXE boot or selected to deploy Windows 10 by using MDT only, then skip this section and continue to the next.
@ -1430,116 +1057,20 @@ Microsoft has several recommended settings for educational institutions. Table 1
Use the information in Table 17 to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings.
<table>
<colgroup>
<col width="75%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Recommendation</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td valign="top">Use of Microsoft accounts</td>
<td>You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br/><br/>
**Note**&nbsp;&nbsp;Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.<br/><br/>
**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users cant add Microsoft accounts** setting option.<br/><br/>
**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
</td>
</tr>
<tr>
<td valign="top">Restrict the local administrator accounts on the devices</td>
<td>Ensure that only authorized users are local administrators on institution-owned devices. Typically, you dont want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br/><br/>
<strong>Group Policy.</strong> Create a <strong>Local Group</strong> Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
<tr>
<td valign="top">Manage the built-in administrator account created during device deployment</td>
<td>When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br/><br/>
<strong>Group Policy.</strong> To rename the built-in Administrator account, use the <strong>Accounts: Rename administrator account</strong> Group Policy setting. For more information about how to rename the built-in Administrator account, see <a href="/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)" data-raw-source="[To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10))">To rename the Administrator account using the Group Policy Management Console</a>. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the <strong>Accounts: Administrator account status</strong> Group Policy setting. For more information about how to disable the built-in Administrator account, see <a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)" data-raw-source="[Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11))">Accounts: Administrator account status</a>.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
<tr>
<td valign="top">Control Microsoft Store access</td>
<td>You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br/><br/>
<strong>Group Policy.</strong> To disable the Microsoft Store app, use the <strong>Turn off the Store Application</strong> group policy setting. To prevent Microsoft Store apps from receiving updates, use the <strong>Turn off Automatic Download and Install of updates</strong> Group Policy setting. For more information about configuring these settings, see <a href="/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP" data-raw-source="[Can I use Group Policy to control the Microsoft Store in my enterprise environment?](/previous-versions/windows/it-pro/windows-8.1-and-8/hh832040(v=ws.11)#BKMK_UseGP)">Can I use Group Policy to control the Microsoft Store in my enterprise environment?</a>.<br/><br/>
<strong>Intune.</strong> To enable or disable Microsoft Store access, use the <strong>Allow application store</strong> policy setting in the <strong>Apps</strong> section of a <strong>Windows 10 General Configuration policy</strong>.
</td>
</tr>
<tr>
<td valign="top">Use of Remote Desktop connections to devices</td>
<td>Remote Desktop connections could allow unauthorized access to the device. Depending on your institutions policies, you may want to disable Remote Desktop connections on your devices.<br/><br/>
<strong>Group Policy.</strong> To enable or disable Remote Desktop connections to devices, use the <strong>Allow Users to connect remotely using Remote Desktop</strong> setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
|Recommendation|Description|
|--- |--- |
|Use of Microsoft accounts|You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.<br>**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices. <br>**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users cant add Microsoft accounts** setting option.<br>****Intune**.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.|
|Restrict the local administrator accounts on the devices|Ensure that only authorized users are local administrators on institution-owned devices. Typically, you dont want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.<br>**Group Policy**. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item. <br>**Intune**. Not available.|
|Manage the built-in administrator account created during device deployment|When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.<br> **Group Policy**. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-essentials-sbs/cc747484(v=ws.10)). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852165(v=ws.11)).<br> **Intune**. Not available.|
|Control Microsoft Store access|You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.<br>**Group policy**. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?<br>**Intune**. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.|
|Use of Remote Desktop connections to devices|Remote Desktop connections could allow unauthorized access to the device. Depending on your institutions policies, you may want to disable Remote Desktop connections on your devices.<br>**Group policy**. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.<br>**Intune**. Not available.|
|Use of camera|A devices camera can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the camera on your devices.<br>**Group policy**. Not available.<br>**Intune**. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.|
|Use of audio recording|Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the Sound Recorder app on your devices.<br>**Group policy**. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)) and [Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)).<br>**Intune**. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.|
|Use of screen capture|Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the ability to perform screen captures on your devices.<br>**Group policy**. Not available.<br>**Intune**. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.|
|Use of location services|Providing a devices location can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the location service on your devices.<br>**Group policy**. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.<br>**Intune**. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.|
|Changing wallpaper|Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institutions policies, you may want to prevent users from changing the wallpaper on institution-owned devices.<br>**Group policy**. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.<br>**Intune**. Not available.|
<tr>
<td valign="top">Use of camera</td>
<td>A devices camera can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the camera on your devices.<br/><br/>
<strong>Group Policy.</strong> Not available.<br/><br/>
<strong>Intune.</strong> To enable or disable the camera, use the <strong>Allow camera</strong> policy setting in the <strong>Hardware</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of audio recording</td>
<td>Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the Sound Recorder app on your devices.<br/><br/>
<strong>Group Policy.</strong> To disable the Sound Recorder app, use the <strong>Do not allow Sound Recorder to run</strong> Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in <a href="/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10)" data-raw-source="[Editing an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791894(v=ws.10))">Editing an AppLocker Policy</a> and <a href="/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11)" data-raw-source="[Create Your AppLocker Policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791899(v=ws.11))">Create Your AppLocker Policies</a>.<br/><br/>
<strong>Intune.</strong> To enable or disable audio recording, use the <strong>Allow voice recording</strong> policy setting in the <strong>Features</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of screen capture</td>
<td>Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the ability to perform screen captures on your devices.<br/><br/>
<strong>Group Policy.</strong> Not available.<br/><br/>
<strong>Intune.</strong> To enable or disable screen capture, use the <strong>Allow screen capture</strong> policy setting in the <strong>System</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Use of location services</td>
<td>Providing a devices location can be a source of disclosure or privacy issues in an education environment. Depending on your institutions policies, you may want to disable the location service on your devices.<br/><br/>
<strong>Group Policy.</strong> To enable or disable location services, use the <strong>Turn off location</strong> group policy setting in User Configuration\Windows Components\Location and Sensors.<br/><br/>
<strong>Intune.</strong> To enable or disable location services, use the <strong>Allow geolocation</strong> policy setting in the <strong>Hardware</strong> section of a <strong>Windows 10 General Configuration</strong> policy.
</td>
</tr>
<tr>
<td valign="top">Changing wallpaper</td>
<td>Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institutions policies, you may want to prevent users from changing the wallpaper on institution-owned devices.<br/><br/>
<strong>Group Policy.</strong> To configure the wallpaper, use the <strong>Desktop WallPaper</strong> setting in User Configuration\Administrative Templates\Desktop\Desktop.<br/><br/>
<strong>Intune.</strong> Not available.
</td>
</tr>
</tbody>
</table>
<br/>
<em>Table 17. Recommended settings for educational institutions</em>
@ -1719,205 +1250,23 @@ After the initial deployment, you need to perform certain tasks to maintain the
Table 19 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks.
<table>
<colgroup>
<col width="10%" />
<col width="10%" />
<col width="10%" />
<col width="70%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task and resources</th>
<th align="left">Monthly</th>
<th align="left">New semester or academic year</th>
<th align="left">As required</th>
</tr>
</thead>
<tbody>
<tr>
<td>Verify that Windows Update is active and current with operating system and software updates.<br/><br/>
For more information about completing this task when you have:
<ul>
<li>Intune, see <a href="/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune" data-raw-source="[Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)">Keep Windows PCs up to date with software updates in Microsoft Intune</a>.</li>
<li>Group Policy, see <a href="/windows/deployment/update/waas-manage-updates-wufb" data-raw-source="[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb)">Windows Update for Business</a>.</li>
<li>WSUS, see <a href="/windows/deployment/deploy-whats-new" data-raw-source="[Windows Server Update Services](/windows/deployment/deploy-whats-new)">Windows Server Update Services</a>.</li>
<li>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, &amp; activate” in <a href="https://support.microsoft.com/products/windows?os=windows-10" data-raw-source="[Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10)">Windows 10 help</a>.</li>
</ul>
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that Windows Defender is active and current with malware Security intelligence.<br/><br/>
For more information about completing this task, see <a href="https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02" data-raw-source="[Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)">Turn Windows Defender on or off</a> and <a href="https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03" data-raw-source="[Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03)">Updating Windows Defender</a>.
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br/><br/>
For more information about completing this task, see the “How do I find and remove a virus?” topic in <a href="https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses" data-raw-source="[Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses)">Protect my PC from viruses</a>.
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Download and approve updates for Windows 10, apps, device driver, and other software.<br/><br/>
For more information, see:
<ul>
<li><a href="#manage-updates-by-using-intune" data-raw-source="[Manage updates by using Intune](#manage-updates-by-using-intune)">Manage updates by using Intune</a></li>
<li><a href="#manage-updates-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)">Manage updates by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td>x</td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br/><br/>
For more information about Windows 10 servicing options for updates and upgrades, see <a href="/windows/deployment/update/" data-raw-source="[Windows 10 servicing options](/windows/deployment/update/)">Windows 10 servicing options</a>.
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Refresh the operating system and apps on devices.<br/><br/>
For more information about completing this task, see the following resources:
<ul>
<li><a href="#prepare-for-deployment" data-raw-source="[Prepare for deployment](#prepare-for-deployment)">Prepare for deployment</a></li>
<li><a href="#capture-the-reference-image" data-raw-source="[Capture the reference image](#capture-the-reference-image)">Capture the reference image</a></li>
<li><a href="#deploy-windows-10-to-devices" data-raw-source="[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)">Deploy Windows 10 to devices</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br/><br/>
For more information, see:
<ul>
<li><a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a></li>
<li><a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install new or update existing Microsoft Store apps used in the curriculum.<br/><br/>
Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br/><br/>
You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. For more information, see:
<ul>
<li><a href="#deploy-and-manage-apps-by-using-intune" data-raw-source="[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)">Deploy and manage apps by using Intune</a></li>
<li><a href="#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager" data-raw-source="[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)">Deploy and manage apps by using Microsoft Endpoint Configuration Manager</a></li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Remove unnecessary user accounts, see <a href="/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center" data-raw-source="[Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center)">Active Directory Administrative Center</a>.</li>
<li>Remove licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Add user accounts, see <a href="#bulk-import-user-and-group-accounts-into-ad-ds" data-raw-source="[Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)">Bulk-import user and group accounts into AD DS</a>.</li>
<li>Assign licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Remove unnecessary user accounts, see <a href="https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e" data-raw-source="[Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e)">Delete or restore users</a>.</li>
<li>Remove licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Add new accounts (and corresponding licenses) to Office 365 (if you dont have an on-premises AD DS infrastructure).<br/><br/>
For more information about how to:
<ul>
<li>Add user accounts, see <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" data-raw-source="[Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc)">Add users to Office 365 for business</a> and <a href="https://www.youtube.com/watch?v=zDs3VltTJps" data-raw-source="[Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps)">Add users individually or in bulk to Office 365</a>.</li>
<li>Assign licenses, see <a href="https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US" data-raw-source="[Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&amp;rs=en-US&amp;ad=US)">Assign or remove licenses for Office 365 for business</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Create or modify security groups, and manage group membership in Office 365.<br/><br/>
For more information about how to:
<ul>
<li>Create or modify security groups, see <a href="https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&amp;rs=en-001&amp;ad=US" data-raw-source="[Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&amp;rs=en-001&amp;ad=US)">Create an Office 365 Group in the admin center</a>.</li>
<li>Manage group membership, see <a href="https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a" data-raw-source="[Manage Group membership in the admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a)">Manage Group membership in the admin center</a>.</li>
</ul>
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.<br/><br/>
For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see <a href="/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups" data-raw-source="[Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups)">Create and manage distribution groups</a> and <a href="https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB" data-raw-source="[Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB)">Create, edit, or delete a security group</a>.
</td>
<td></td>
<td>x</td>
<td>x</td>
</tr>
<tr>
<td>Install new student devices.<br/><br/>
Follow the same steps you followed in the <a href="#deploy-windows-10-to-devices" data-raw-source="[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)">Deploy Windows 10 to devices</a> section.
</td>
<td></td>
<td></td>
<td>x</td>
</tr>
</tbody>
</table>
<br/>
|Task and resources|Monthly|New semester or academic year|As required|
|--- |--- |--- |--- |
|Verify that Windows Update is active and current with operating system and software updates.<br>For more information about completing this task when you have:<li>Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)<li>Group Policy, see [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).<li>WSUS, see [Windows Server Update Services](/windows/deployment/deploy-whats-new).<br>Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.|✔️|✔️|✔️|
|Verify that Windows Defender is active and current with malware Security intelligence.<br>For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02)and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).|✔️|✔️|✔️|
|Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.<br>For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).|✔️|✔️|✔️|
|Download and approve updates for Windows 10, apps, device driver, and other software.<br>For more information, see:<li>[Manage updates by using Intune](#manage-updates-by-using-intune)<li>[Manage updates by using Microsoft Endpoint Configuration Manager](#manage-updates-by-using-microsoft-endpoint-configuration-manager)|✔️|✔️|✔️|
|Verify that youre using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).<br>For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](/windows/deployment/update/).||✔️|✔️|
|Refresh the operating system and apps on devices.<br>For more information about completing this task, see the following resources:<li>[Prepare for deployment](#prepare-for-deployment)<li>[Capture the reference image](#capture-the-reference-image)<li>[Deploy Windows 10 to devices](#deploy-windows-10-to-devices)||✔️|✔️|
|Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.<br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
|Install new or update existing Microsoft Store apps used in the curriculum.<br>Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.<br>You can also deploy Microsoft Store apps directly to devices by using Intune, Microsoft Endpoint Configuration Manager, or both in a hybrid configuration. <br>For more information, see:<li>[Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune)<li>[Deploy and manage apps by using Microsoft Endpoint Configuration Manager](#deploy-and-manage-apps-by-using-microsoft-endpoint-configuration-manager)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Active Directory Administrative Center](/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center) <li>Remove licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds)<li>Assign licenses, see [Add users and assign licenses](/microsoft-365/admin/add-users/add-users)||✔️|✔️|
|Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Remove unnecessary user accounts, see [Delete or restore users](/microsoft-365/admin/add-users/delete-a-user)<li> Remove licenses, [Assign or remove licenses for Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
|Add new accounts (and corresponding licenses) to Office 365 (if you dont have an on-premises AD DS infrastructure).<br>For more information about how to:<li>Add user accounts, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).<li>Assign licenses, see [Add users to Microsoft 365](/microsoft-365/admin/add-users/add-users).||✔️|✔️|
|Create or modify security groups, and manage group membership in Office 365.<br>For more information about how to:<li>Create or modify security groups, see [Create a Microsoft 365 group](/microsoft-365/admin/create-groups/create-groups)<li>Manage group membership, see [Manage Group membership](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups).||✔️|✔️|
|Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.<br>For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](/exchange/recipients-in-exchange-online/manage-distribution-groups/manage-distribution-groups) and [Create, edit, or delete a security group](/microsoft-365/admin/email/create-edit-or-delete-a-security-group).||✔️|✔️|
|Install new student devices.<br> Follow the same steps you followed in the[Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.|||✔️|
*Table 19. School and individual classroom maintenance tasks, with resources and the schedule for performing them*
@ -1936,4 +1285,4 @@ You have now identified the tasks you need to perform monthly, at the end of an
* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
* [Reprovision devices at the end of the school year (video)](./index.md)
* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
* [Use Microsoft Store for Business in a school environment (video)](./index.md)
* [Use Microsoft Store for Business in a school environment (video)](./index.md)

6
education/windows/deploy-windows-10-in-a-school.md
View File

@ -441,7 +441,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|---|---|
| **Ldifde.exe** | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you arent comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
| **VBScript** | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if youre comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/116.active-directory-step-by-step-guide-bulk-import-and-export.aspx). |
| **Windows PowerShell** | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
| **Windows PowerShell** | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if youre comfortable with Windows PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
---
@ -670,13 +670,13 @@ The first step in preparation for Windows 10 deployment is to configure—that i
| **1. Import operating systems** | Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportanOperatingSystemintotheDeploymentWorkbench). |
| **2. Import device drives** | Device drivers allow Windows 10 to know a devices hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.<br/><br/> Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench). |
| **3. Create MDT applications for Microsoft Store apps** | Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using <em>sideloading</em>, which allows you to use the <strong>Add-AppxPackage</strong> Windows PowerShell cmdlet to deploy the .appx files associated with the app (called <em>provisioned apps</em>). Use this method to deploy up to 24 apps to Windows 10.<br/><br/>Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.<br/><br/>If you have Intune, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.<br/><br/>In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:<br/><br/>- Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10).<br/>- Create an MDT application, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).<br/><br/>If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/> You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **4. Create MDT applications for Windows desktop apps** | You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.<br/><br/>To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).<br/><br/>If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.<br/><br/> You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.<br/><br/>For more information about how to create an MDT application for Windows desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench). |
| **5. Create task sequences.** | You must create a separate task sequence for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64-bit versions of Windows 10. To do so, you must create task sequences that will:<br/><br/>- Deploy Windows 10 Education 64-bit to devices.<br/>- Deploy Windows 10 Education 32-bit to devices.<br/>- Upgrade existing devices to Windows 10 Education 64-bit.<br/>- Upgrade existing devices to Windows 10 Education 32-bit.<br/><br/>Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench). |
| **6. Update the deployment share.** | Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.<br/><br/> For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).|
---
### Configure Window Deployment Services for MDT
### Configure Windows Deployment Services for MDT
You can use Windows Deployment Services with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers.

2
education/windows/school-get-minecraft.md
View File

@ -250,7 +250,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
<!--- ## Manage Minecraft: Education Edition -->
<!--- ### Access to Microsoft Store for Business
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Windows Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
However, tenant admins can control whether or not teachers automatically sign up for Microsoft Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Microsoft Store for Business.** You'll find this on the **Permissions** page.

4
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,8 +2,10 @@
## Week of April 26, 2021
## Week of November 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 11/16/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
| 11/19/2021 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |

338
store-for-business/microsoft-store-for-business-overview.md
View File

@ -27,7 +27,7 @@ ms.date: 07/21/2021
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. There will be no support for Microsoft Store for Business and Education on Windows 11.
> [!IMPORTANT]
> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
@ -164,184 +164,164 @@ For more information, see [Manage settings in the Store for Business](manage-set
Store for Business and Education is currently available in these markets.
### Support for free and paid products
<table>
<tr>
<th align="center" colspan="4">Supports all free and paid products</th>
</tr>
<tr align="left">
<td>
<ul>
<li>Afghanistan</li>
<li>Algeria</li>
<li>Andorra</li>
<li>Angola</li>
<li>Anguilla</li>
<li>Antigua and Barbuda</li>
<li>Argentina</li>
<li>Australia</li>
<li>Austria</li>
<li>Bahamas</li>
<li>Bahrain</li>
<li>Bangladesh</li>
<li>Barbados</li>
<li>Belgium</li>
<li>Belize</li>
<li>Bermuda</li>
<li>Benin</li>
<li>Bhutan</li>
<li>Bolivia</li>
<li>Bonaire</li>
<li>Botswana</li>
<li>Brunei Darussalam</li>
<li>Bulgaria</li>
<li>Burundi</li>
<li>Cambodia</li>
<li>Cameroon</li>
<li>Canada</li>
<li>Cayman Islands</li>
<li>Chile</li>
<li>Colombia</li>
<li>Comoros</li>
<li>Costa Rica</li>
<li>C&ocirc;te D&#39;ivoire</li>
<li>Croatia</li>
<li>Cur&ccedil;ao</li>
<li>Cyprus</li>
<li>Czech Republic</li>
<li>Denmark</li>
<li>Dominican Republic</li>
<li>Ecuador</li>
</ul>
</td>
<td>
<ul>
<li>Egypt</li>
<li>El Salvador</li>
<li>Estonia</li>
<li>Ethiopia</li>
<li>Faroe Islands</li>
<li>Fiji</li>
<li>Finland</li>
<li>France</li>
<li>French Guiana</li>
<li>French Polynesia</li>
<li>Germany</li>
<li>Ghana</li>
<li>Greece</li>
<li>Greenland</li>
<li>Guadeloupe</li>
<li>Guatemala</li>
<li>Honduras</li>
<li>Hong Kong SAR</li>
<li>Hungary</li>
<li>Iceland</li>
<li>Indonesia</li>
<li>Iraq</li>
<li>Ireland</li>
<li>Israel</li>
<li>Italy</li>
<li>Jamaica</li>
<li>Japan</li>
<li>Jersey</li>
<li>Jordan</li>
<li>Kenya</li>
<li>Kuwait</li>
<li>Laos</li>
<li>Latvia</li>
<li>Lebanon</li>
<li>Libya</li>
<li>Liechtenstein</li>
<li>Lithuania</li>
<li>Luxembourg</li>
<li>Macedonia</li>
<li>Madagascar</li>
</ul>
</td>
<td>
<ul>
<li>Malawi</li>
<li>Malaysia</li>
<li>Maldives</li>
<li>Mali</li>
<li>Malta</li>
<li>Marshall Islands</li>
<li>Martinique</li>
<li>Mauritius</li>
<li>Mayotte</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
<li>Morocco</li>
<li>Mozambique</li>
<li>Myanamar</li>
<li>Namibia</li>
<li>Nepal</li>
<li>Netherlands</li>
<li>New Caledonia</li>
<li>New Zealand</li>
<li>Nicaragua</li>
<li>Nigeria</li>
<li>Norway</li>
<li>Oman</li>
<li>Pakistan</li>
<li>Palestinian Authority</li>
<li>Panama</li>
<li>Papua New Guinea</li>
<li>Paraguay</li>
<li>Peru</li>
<li>Philippines</li>
<li>Poland</li>
<li>Portugal</li>
<li>Qatar</li>
<li>Republic of Cabo Verde</li>
<li>Reunion</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
</ul>
</td>
<td>
<ul>
<li>Saint Lucia</li>
<li>Saint Martin</li>
<li>Saint Vincent and the Grenadines</li>
<li>San marino</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
<li>Serbia</li>
<li>Seychelles</li>
<li>Singapore</li>
<li>Sint Maarten</li>
<li>Slovakia</li>
<li>Slovenia</li>
<li>South Africa</li>
<li>Spain</li>
<li>Sri Lanka</li>
<li>Suriname</li>
<li>Sweden</li>
<li>Switzerland</li>
<li>Tanzania</li>
<li>Thailand</li>
<li>Timor-Leste</li>
<li>Togo</li>
<li>Tonga</li>
<li>Trinidad and Tobago</li>
<li>Tunisia</li>
<li>Turkey</li>
<li>Turks and Caicos Islands</li>
<li>Uganda</li>
<li>United Arab Emirates</li>
<li>United Kingdom</li>
<li>United States</li>
<li>Uruguay</li>
<li>Vatican City</li>
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;</li><br/> </ul>
</td>
</tr>
</table>
- Afghanistan
- Algeria
- Andorra
- Angola
- Anguilla
- Antigua and Barbuda
- Argentina
- Australia
- Austria
- Bahamas
- Bahrain
- Bangladesh
- Barbados
- Belgium
- Belize
- Bermuda
- Benin
- Bhutan
- Bolivia
- Bonaire
- Botswana
- Brunei Darussalam
- Bulgaria
- Burundi
- Cambodia
- Cameroon
- Canada
- Cayman Islands
- Chile
- Colombia
- Comoros
- Costa Rica
- Côte D'ivoire
- Croatia
- Curçao
- Cyprus
- Czech Republic
- Denmark
- Dominican Republic
- Ecuador
- Egypt
- El Salvador
- Estonia
- Ethiopia
- Faroe Islands
- Fiji
- Finland
- France
- French Guiana
- French Polynesia
- Germany
- Ghana
- Greece
- Greenland
- Guadeloupe
- Guatemala
- Honduras
- Hong Kong SAR
- Hungary
- Iceland
- Indonesia
- Iraq
- Ireland
- Israel
- Italy
- Jamaica
- Japan
- Jersey
- Jordan
- Kenya
- Kuwait
- Laos
- Latvia
- Lebanon
- Libya
- Liechtenstein
- Lithuania
- Luxembourg
- Macedonia
- Madagascar
- Malawi
- Malaysia
- Maldives
- Mali
- Malta
- Marshall Islands
- Martinique
- Mauritius
- Mayotte
- Mexico
- Mongolia
- Montenegro
- Morocco
- Mozambique
- Myanamar
- Namibia
- Nepal
- Netherlands
- New Caledonia
- New Zealand
- Nicaragua
- Nigeria
- Norway
- Oman
- Pakistan
- Palestinian Authority
- Panama
- Papua New Guinea
- Paraguay
- Peru
- Philippines
- Poland
- Portugal
- Qatar
- Republic of Cabo Verde
- Reunion
- Romania
- Rwanda
- Saint Kitts and Nevis
- Saint Lucia
- Saint Martin
- Saint Vincent and the Grenadines
- San marino
- Saudi Arabia
- Senegal
- Serbia
- Seychelles
- Singapore
- Sint Maarten
- Slovakia
- Slovenia
- South Africa
- Spain
- Sri Lanka
- Suriname
- Sweden
- Switzerland
- Tanzania
- Thailand
- Timor-Leste
- Togo
- Tonga
- Trinidad and Tobago
- Tunisia
- Turkey
- Turks and Caicos Islands
- Uganda
- United Arab Emirates
- United Kingdom
- United States
- Uruguay
- Vatican City
- Viet Nam
- Virgin Islands, U.S.
- Zambia
- Zimbabwe
### Support for free apps
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps:

59
windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
View File

@ -24,56 +24,15 @@ Use the following procedure to configure the App-V for reporting.
2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
<table>
<colgroup>
<col width="30%" />
<col width="70%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Setting</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>ReportingEnabled</p></td>
<td align="left"><p>Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingServerURL</p></td>
<td align="left"><p>Specifies the location on the reporting server where client information is saved. For example, https://&lt;reportingservername&gt;:&lt;reportingportnumber&gt;.</p>
<div class="alert">
<strong>Note</strong><br/><p>This is the port number that was assigned during the Reporting Server setup</p>
</div>
<div>
</div></td>
</tr>
<tr class="odd">
<td align="left"><p>Reporting Start Time</p></td>
<td align="left"><p>This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingRandomDelay</p></td>
<td align="left"><p>Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>ReportingInterval</p></td>
<td align="left"><p>Specifies the retry interval that the client will use to resend data to the reporting server.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ReportingDataCacheLimit</p></td>
<td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>ReportingDataBlockSize</p></td>
<td align="left"><p>Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.</p></td>
</tr>
</tbody>
</table>
|Setting|Description|
|--- |--- |
|ReportingEnabled|Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.|
|ReportingServerURL|Specifies the location on the reporting server where client information is saved. For example, https://&lt;reportingservername&gt;:&lt;reportingportnumber&gt;.<br> **Note:** <br>This is the port number that was assigned during the Reporting Server setup|
|Reporting Start Time|This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.|
|ReportingRandomDelay|Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.|
|ReportingInterval|Specifies the retry interval that the client will use to resend data to the reporting server.|
|ReportingDataCacheLimit|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
|ReportingDataBlockSize|Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.|
3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.

56
windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
View File

@ -69,28 +69,10 @@ This topic explains the following procedures:
2. Use the following cmdlets, and add the optional **UserSID** parameter, where **-UserSID** represents the end users security identifier (SID):
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Cmdlet</th>
<th align="left">Examples</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enable-AppVClientConnectionGroup</p></td>
<td align="left"><p>Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
</tr>
<tr class="even">
<td align="left"><p>Disable-AppVClientConnectionGroup</p></td>
<td align="left"><p>Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345</p></td>
</tr>
</tbody>
</table>
|Cmdlet|Examples|
|--- |--- |
|Enable-AppVClientConnectionGroup|Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
|Disable-AppVClientConnectionGroup|Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345|
## To allow only administrators to enable connection groups
@ -102,33 +84,9 @@ This topic explains the following procedures:
2. Run the following cmdlet and parameter:
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Cmdlet</th>
<th align="left">Parameter and values</th>
<th align="left">Example</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Set-AppvClientConfiguration</p></td>
<td align="left"><p>-RequirePublishAsAdmin</p>
<ul>
<li><p>0 - False</p></li>
<li><p>1 - True</p></li>
</ul></td>
<td align="left"><p>Set-AppvClientConfiguration -RequirePublishAsAdmin 1</p></td>
</tr>
</tbody>
</table>
|Cmdlet|Parameter and values|Example|
|--- |--- |--- |
|Set-AppvClientConfiguration|-RequirePublishAsAdmin<li>0 - False<li>1 - True|Set-AppvClientConfiguration -RequirePublishAsAdmin<br>1|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

54
windows/application-management/app-v/appv-managing-connection-groups.md
View File

@ -24,50 +24,16 @@ In some previous versions of App-V, connection groups were referred to as Dynami
**In this section:**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><a href="appv-connection-group-virtual-environment.md" data-raw-source="[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)">About the Connection Group Virtual Environment</a></p></td>
<td align="left"><p>Describes the connection group virtual environment.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-connection-group-file.md" data-raw-source="[About the Connection Group File](appv-connection-group-file.md)">About the Connection Group File</a></p></td>
<td align="left"><p>Describes the connection group file.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-create-a-connection-group.md" data-raw-source="[How to Create a Connection Group](appv-create-a-connection-group.md)">How to Create a Connection Group</a></p></td>
<td align="left"><p>Explains how to create a new connection group.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-create-a-connection-group-with-user-published-and-globally-published-packages.md" data-raw-source="[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)">How to Create a Connection Group with User-Published and Globally Published Packages</a></p></td>
<td align="left"><p>Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-delete-a-connection-group.md" data-raw-source="[How to Delete a Connection Group](appv-delete-a-connection-group.md)">How to Delete a Connection Group</a></p></td>
<td align="left"><p>Explains how to delete a connection group.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-publish-a-connection-group.md" data-raw-source="[How to Publish a Connection Group](appv-publish-a-connection-group.md)">How to Publish a Connection Group</a></p></td>
<td align="left"><p>Explains how to publish a connection group.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><a href="appv-configure-connection-groups-to-ignore-the-package-version.md" data-raw-source="[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)">How to Make a Connection Group Ignore the Package Version</a></p></td>
<td align="left"><p>Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.</p></td>
</tr>
<tr class="even">
<td align="left"><p><a href="appv-allow-administrators-to-enable-connection-groups.md" data-raw-source="[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)">How to Allow Only Administrators to Enable Connection Groups</a></p></td>
<td align="left"><p>Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.</p></td>
</tr></tbody>
</table>
|Links|Description|
|--- |--- |
|[About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)|Describes the connection group virtual environment.|
|[About the Connection Group File](appv-connection-group-file.md)|Describes the connection group file.|
|[How to Create a Connection Group](appv-create-a-connection-group.md)|Explains how to create a new connection group.|
|[How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)|Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.|
|[How to Delete a Connection Group](appv-delete-a-connection-group.md)|Explains how to delete a connection group.|
|[How to Publish a Connection Group](appv-publish-a-connection-group.md)|Explains how to publish a connection group.|
|[How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)|Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.|
[How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)|Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

167
windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
View File

@ -26,35 +26,9 @@ You can now use the package converter to convert App-V 4.6 packages that contain
You can also use the `OSDsToIncludeInPackage` parameter with the `ConvertFrom-AppvLegacyPackage` cmdlet to specify which .osd files information is converted and placed within the new package.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">New in App-V for Windows client</th>
<th align="left">Prior to App-V for Windows 10</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:</p>
<ul>
<li><p>environment variables</p></li>
<li><p>shortcuts</p></li>
<li><p>file type associations</p></li>
<li><p>registry information</p></li>
<li><p>scripts</p></li>
</ul>
<p>You can now choose to add information from a subset of the .osd files in the source directory to the package using the <code>-OSDsToIncludeInPackage</code> parameter.</p></td>
<td align="left"><p>Registry information and scripts included in .osd files associated with a package were not included in package converter output.</p>
<p>The package converter would populate the new package with information from all of the .osd files in the source directory.</p></td>
</tr>
</tbody>
</table>
|New in App-V for Windows client|Prior to App-V for Windows 10|
|--- |--- |
|New .xml files are created corresponding to the .osd files associated with a package; these files include the following information:<li>environment variables<li>shortcuts<li>file type associations<li>registry information<li>scripts<br> <br>You can now choose to add information from a subset of the .osd files in the source directory to the package using the -OSDsToIncludeInPackage parameter.|Registry information and scripts included in .osd files associated with a package were not included in package converter output.<br> <br>The package converter would populate the new package with information from all of the .osd files in the source directory.|
### Example conversion statement
@ -102,65 +76,10 @@ ConvertFrom-AppvLegacyPackage SourcePath \\OldPkgStore\ContosoApp\
**In the above example:**
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">These Source directory files…</th>
<th align="left">…are converted to these Destination directory files…</th>
<th align="left">…and will contain these items</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><ul>
<li><p>X.osd</p></li>
<li><p>Y.osd</p></li>
<li><p>Z.osd</p></li>
</ul></td>
<td align="left"><ul>
<li><p>X_Config.xml</p></li>
<li><p>Y_Config.xml</p></li>
<li><p>Z_Config.xml</p></li>
</ul></td>
<td align="left"><ul>
<li><p>Environment variables</p></li>
<li><p>Shortcuts</p></li>
<li><p>File type associations</p></li>
<li><p>Registry information</p></li>
<li><p>Scripts</p></li>
</ul></td>
<td align="left"><p>Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.</p>
<p>In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.</p></td>
</tr>
<tr class="even">
<td align="left"><ul>
<li><p>X.osd</p></li>
<li><p>Y.osd</p></li>
</ul></td>
<td align="left"><ul>
<li><p>ContosoApp.appv</p></li>
<li><p>ContosoApp_DeploymentConfig.xml</p></li>
<li><p>ContosoApp_UserConfig.xml</p></li>
</ul></td>
<td align="left"><ul>
<li><p>Environment variables</p></li>
<li><p>Shortcuts</p></li>
<li><p>File type associations</p></li>
</ul></td>
<td align="left"><p>The information from the .osd files specified in the <code>-OSDsToIncludeInPackage</code> parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.</p>
<p>In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the <code>-OSDsToIncludeInPackage</code> parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.</p></td>
</tr>
</tbody>
</table>
|These Source directory files…|…are converted to these Destination directory files…|…and will contain these items|Description|
|--- |--- |--- |--- |
|<li>X.osd<li>Y.osd<li>Z.osd|<li>X_Config.xml<li>Y_Config.xml<li>Z_Config.xml|<li>Environment variables:<li>Shortcuts<li>File type associations<li>Registry information<li>Scripts|Each .osd file is converted to a separate, corresponding .xml file that contains the items listed here in App-V deployment configuration format. These items can then be copied from these .xml files and placed in the deployment configuration or user configuration files as desired.<br>In this example, there are three .xml files, corresponding with the three .osd files in the source directory. Each .xml file contains the environment variables, shortcuts, file type associations, registry information, and scripts in its corresponding .osd file.|
|<li>X.osd<li>Y.osd|<li>ContosoApp.appv <li>ContosoApp_DeploymentConfig.xml <li>ContosoApp_UserConfig.xml|<li>Environment variables<li>Shortcuts<li>File type associations|The information from the .osd files specified in the -OSDsToIncludeInPackage parameter are converted and placed inside the package. The converter then populates the deployment configuration file and the user configuration file with the contents of the package, just as App-V Sequencer does when sequencing a new package.<br>In this example, environment variables, shortcuts, and file type associations included in X.osd and Y.osd were converted and placed in the App-V package, and some of this information was also included in the deployment configuration and user configuration files. X.osd and Y.osd were used because they were included as arguments to the -OSDsToIncludeInPackage parameter. No information from Z.osd was included in the package, because it was not included as one of these arguments.|
## Converting packages created using a prior version of App-V
@ -175,34 +94,11 @@ After you convert an existing package you should test the package prior to deplo
**What to know before you convert existing packages**
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Issue</th>
<th align="left">Workaround</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Virtual packages using DSC are not linked after conversion.</p></td>
<td align="left"><p>Link the packages using connection groups. See <a href="appv-managing-connection-groups.md" data-raw-source="[Managing Connection Groups](appv-managing-connection-groups.md)">Managing Connection Groups</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Environment variable conflicts are detected during conversion.</p></td>
<td align="left"><p>Resolve any conflicts in the associated <strong>.osd</strong> file.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Hard-coded paths are detected during conversion.</p></td>
<td align="left"><p>Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.</p></td>
</tr>
</tbody>
</table>
|Issue|Workaround|
|--- |--- |
|Virtual packages using DSC are not linked after conversion.|Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).|
|Environment variable conflicts are detected during conversion.|Resolve any conflicts in the associated **.osd** file.|
|Hard-coded paths are detected during conversion.|Hard-coded paths are difficult to convert correctly. The package converter will detect and return packages with files that contain hard-coded paths. View the file with the hard-coded path, and determine whether the package requires the file. If so, it is recommended to re-sequence the package.|
When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
@ -218,39 +114,12 @@ If a converted package does not open after you convert it, it is also recommende
There is no direct method to upgrade to a full App-V infrastructure. Use the information in the following section for information about upgrading the App-V server.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Task</th>
<th align="left">More Information</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Review prerequisites.</p></td>
<td align="left"><p><a href="appv-prerequisites.md#app-v-server-prerequisite-software" data-raw-source="[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)">App-V Server prerequisite software</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enable the App-V client.</p></td>
<td align="left"><p><a href="appv-enable-the-app-v-desktop-client.md" data-raw-source="[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)">Enable the App-V desktop client</a>.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Install App-V Server.</p></td>
<td align="left"><p><a href="appv-deploy-the-appv-server.md" data-raw-source="[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)">How to Deploy the App-V Server</a>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Migrate existing packages.</p></td>
<td align="left"><p>See <a href="#converting-packages-created-using-a-prior-version-of-app-v" data-raw-source="[Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v)">Converting packages created using a prior version of App-V</a> earlier in this topic.</p></td>
</tr>
</tbody>
</table>
|Task|More Information|
|--- |--- |
|Review prerequisites.|[App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software)|
|Enable the App-V client.|[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)|
|Install App-V Server.|[How to Deploy the App-V Server](appv-deploy-the-appv-server.md)|
|Migrate existing packages.|See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.|
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).

2
windows/application-management/app-v/appv-supported-configurations.md
View File

@ -18,7 +18,7 @@ ms.topic: article
- Windows 10
- Windows 11
- Window Server 2019
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012

2
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -37,7 +37,7 @@ Viewing [NPS authentication status events](/previous-versions/windows/it-pro/win
NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
Check the Windows Security event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.

2
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -302,7 +302,7 @@ problems can be solved. Modify the registry at your own risk.
To troubleshoot this Stop error, follow these steps to filter the drivers:
1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version.
2. Open the registry.

2
windows/client-management/manage-device-installation-with-group-policy.md
View File

@ -69,7 +69,7 @@ The scenarios presented in this guide illustrate how you can control device inst
Group Policy guides:
- [Create a Group Policy Object (Windows 10) - Windows security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Create a Group Policy Object (Windows 10) - Windows Security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
### Scenario #1: Prevent installation of all printers

2
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

@ -1075,7 +1075,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
</ul>
<p>Added links to the additional <a href="policy-csp-bitlocker.md" data-raw-source="[ADMX-backed BitLocker policies](policy-csp-bitlocker.md)">ADMX-backed BitLocker policies</a>.</p>
<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
<p>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:</p>
<ul>
<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
<li>Start/HideAppList</li>

2
windows/client-management/mdm/defender-csp.md
View File

@ -625,7 +625,7 @@ This policy setting controls whether or not exclusions are visible to Local Admi
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.

5
windows/client-management/mdm/defender-ddf.md
View File

@ -15,7 +15,7 @@ ms.date: 07/23/2021
# Defender DDF file
This article shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML.
This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
@ -1007,5 +1007,4 @@ The XML below is the current version for this CSP.
## See also
[Defender configuration service provider](defender-csp.md)
[Defender configuration service provider](defender-csp.md)

8
windows/client-management/mdm/devicestatus-csp.md
View File

@ -246,10 +246,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antisp
Valid values:
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC).
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer.
- 0 - The status of the security provider category is good and does not need user attention.
- 1 - The status of the security provider category is not monitored by Windows Security.
- 2 - The status of the security provider category is poor and the computer may be at risk.
- 3 - The security provider category is in snooze state. Snooze indicates that the Windows Security Service is not actively protecting the computer.
Supported operation is Get.

6
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -8,8 +8,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 09/27/2019
author: dansimp
ms.date: 11/19/2021
---
# EnterpriseModernAppManagement CSP
@ -181,7 +181,7 @@ The following example removes a package for all users:
</Target>
<Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
<Data>
<Package Name="{PackageFullName}" RemoveForAllUsers=1 />
<Package Name="{PackageFullName}" RemoveForAllUsers="1" />
</Data>
</Item>
</Exec>

2
windows/client-management/mdm/esim-enterprise-management.md
View File

@ -15,7 +15,7 @@ ms.topic: conceptual
The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management.
If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
- Onboard to Azure Active Directory
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include:
- [HPEs Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html)
- [IDEMIAs The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub)
- Assess solution type that you would like to provide your customers

2
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -148,7 +148,7 @@ The following are the explicit requirements for the server.
- The &lt;DiscoveryResponse&gt;&lt;AuthenticationServiceUrl&gt; element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Window Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:

118
windows/client-management/mdm/get-seats.md
View File

@ -1,6 +1,6 @@
---
title: Get seats
description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
description: The Get seats operation retrieves the information about active seats in the Microsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@ -18,118 +18,34 @@ The **Get seats** operation retrieves the information about active seats in the
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GET</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}</p></td>
</tr>
</tbody>
</table>
**GET:**
```http
https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&amp;maxResults={MaxResults}
```
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>continuationToken</p></td>
<td><p>string</p></td>
<td><p>Optional.</p></td>
</tr>
<tr class="even">
<td><p>maxResults</p></td>
<td><p>int32</p></td>
<td><p>Optional. Default = 25, Maximum = 100</p></td>
</tr>
</tbody>
</table>
|Parameter|Type|Description|
|--- |--- |--- |
|productId|string|Required. Product identifier for an application that is used by the Store for Business.|
|skuId|string|Required. Product identifier that specifies a specific SKU of an application.|
|continuationToken|string|Optional.|
|maxResults|int32|Optional. Default = 25, Maximum = 100|
 
## Response
### Response body
The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Missing parameter or invalid parameter</p>
<p>Details: String</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
</tr>
</tbody>
</table>
 
 
|Error code|Description|Retry|Data field|
|--- |--- |--- |--- |
|400|Invalid parameters|No|Parameter name <br> Reason: Missing parameter or invalid parameter <br> Details: String|
|404|Not found|||
|409|Conflict||Reason: Not online|

1329
windows/client-management/mdm/healthattestation-csp.md
View File

File diff suppressed because it is too large Load Diff

66
windows/client-management/mdm/hotspot-csp.md
View File

@ -17,13 +17,10 @@ ms.date: 06/26/2017
The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
> **Note**  HotSpot CSP is only supported in Windows 10 Mobile.
> [!Note]
> HotSpot CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
@ -62,8 +59,8 @@ By default, any available connection will be used as a public connection. Howeve
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
> [!Note]
> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@ -77,9 +74,8 @@ If a CDMA mobile operator requires using a Tethering NAI during Internet sharing
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
> [!Note]
> The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
@ -109,8 +105,8 @@ Optional. Reference to a localized string, provided by the mobile operator, that
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
> **Note**  MOAppLink is required to use the MOHelpMessage setting.
> [!Note]
> MOAppLink is required to use the MOHelpMessage setting.
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
@ -137,14 +133,14 @@ Optional. The time-out value, in minutes, after which Internet sharing is automa
Changes to this node require a reboot.
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
## Additional requirements for CDMA networks
@ -169,7 +165,8 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet
</wap-provisioningdoc>
```
> **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
> [!Note]
> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
@ -186,34 +183,11 @@ The DLL must be code signed in a specific way, see [Sign binaries and packages](
During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>ENTITLEMENT_SUCCESS</strong></p></td>
<td><p>The device is allowed to connect to the server.</p></td>
</tr>
<tr class="even">
<td><p><strong>ENTITLEMENT_FAILED</strong></p></td>
<td><p>The device is not allowed to connect to the server</p></td>
</tr>
<tr class="odd">
<td><p><strong>ENTITLEMENT_UNAVAILABLE</strong></p></td>
<td><p>The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.</p></td>
</tr>
</tbody>
</table>
|Value|Description|
|--- |--- |
|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.

50
windows/client-management/mdm/implement-server-side-mobile-application-management.md
View File

@ -18,11 +18,11 @@ The Windows version of mobile application management (MAM) is a lightweight solu
## Integration with Azure AD
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). 
MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). 
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM, depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a users personal devices will be enrolled to MAM or MDM, depending on the users actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.
Regular non-admin users can enroll to MAM. 
@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. 
![Mobile application management app.](images/implement-server-side-mobile-application-management.png)
:::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png":::
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. 
@ -129,40 +129,8 @@ If the MAM device is properly configured for MDM enrollment, then the Enroll onl
We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature.
<table>
<colgroup>
<col width="15%" />
<col width="35%" />
<col width="15%" />
<col width="35%" />
</colgroup>
<thead>
<tr class="header">
<th>Update channel</th>
<th>Primary purpose</th>
<th>LOB Tattoo availability</th>
<th>Default update channel for the products</th>
</tr>
</thead>
<tbody>
<tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_CB" data-raw-source="[Current channel](/deployoffice/overview-update-channels#BKMK_CB)">Current channel</a></td>
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
<td>March 9 2017</td>
<td><p>Visio Pro for Office 365</p>
<p>Project Desktop Client</p>
<p>Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)</p></td>
</tr>
<tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_CBB" data-raw-source="[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)">Deferred channel</a></td>
<td>Provide users with new features of Office only a few times a year.</td>
<td>October 10 2017</td>
<td>Microsoft 365 Apps for enterprise</td>
</tr><tr>
<td><a href="/deployoffice/overview-update-channels#BKMK_FRCBB" data-raw-source="[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)">First release for Deferred channel</a></td>
<td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
<td>June 13 2017</td>
<td></td>
</tr>
</tbody>
</table>
|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products|
|--- |--- |--- |--- |
|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365<br>Project Desktop Client<br>Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)|
|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise|
|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017||

13
windows/client-management/mdm/index.md
View File

@ -14,8 +14,7 @@ author: dansimp
# Mobile device management
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users privacy on their personal devices. A built-in management component can communicate with the management server.
Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server.
There are two parts to the Windows management component:
@ -26,19 +25,18 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
## MDM security baseline
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros operational needs, addressing security concerns for modern cloud-managed devices.
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices.
The MDM security baseline includes policies that cover the following areas:
- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Device Guard (virtual-based security), Exploit Guard, Microsoft Defender Antivirus, and Firewall
- Restricting remote access to devices
- Setting credential requirements for passwords and PINs
- Restricting use of legacy technology
- Legacy technology policies that offer alternative solutions with modern technology
- And much more
For more details about the MDM policies defined in the MDM security baseline and what Microsofts recommended baseline policy values are, see:
For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see:
- [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip)
- [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip)
@ -83,6 +81,3 @@ When an organization wants to move to MDM to manage devices, they should prepare
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)

30
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -34,26 +34,12 @@ For additional information about Store for Business, see the TechNet topics in [
The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>Application data</p></td>
<td><p>The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.</p></td>
</tr>
<tr class="even">
<td><p>Licensing models</p></td>
<td><p><strong>Offline vs. Online</strong></p>
<p>Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.</p>
<p>Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.</p></td>
</tr>
</tbody>
</table>
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
- **Licensing models**:
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
### Offline-licensed application distribution
@ -89,13 +75,11 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token:
- Login Authority = https:<span></span>//login.windows.net/\<TargetTenantId\>
- Resource/audience\* = https:<span></span>//onestore.microsoft.com
- Login Authority = `https://login.windows.net/<TargetTenantId>`
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
- ClientId = your AAD application client id
- ClientSecret = your AAD application client secret/key
\* The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
## Using the management tool
After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns:

210
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -110,75 +110,49 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
</s:envelope>
```
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Namespace</th>
<th>Subcode</th>
<th>Error</th>
<th>Description</th>
<th>HRESULT</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>s:</p></td>
<td><p>MessageFormat</p></td>
<td><p>MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</p></td>
<td><p>Invalid message from the Mobile Device Management (MDM) server.</p></td>
<td><p>80180001</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>Authentication</p></td>
<td><p>MENROLL_E_DEVICE_AUTHENTICATION_ERROR</p></td>
<td><p>The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.</p></td>
<td><p>80180002</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>Authorization</p></td>
<td><p>MENROLL_E_DEVICE_AUTHORIZATION_ERROR</p></td>
<td><p>The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.</p></td>
<td><p>80180003</p></td>
</tr>
<tr class="even">
<td><p>s:</p></td>
<td><p>CertificateRequest</p></td>
<td><p>MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR</p></td>
<td><p>The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.</p></td>
<td><p>80180004</p></td>
</tr>
<tr class="odd">
<td><p>s:</p></td>
<td><p>EnrollmentServer</p></td>
<td><p>MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</p></td>
<td>The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.</td>
<td><p>80180005</p></td>
</tr>
<tr class="even">
<td><p>a:</p></td>
<td><p>InternalServiceFault</p></td>
<td><p>MENROLL_E_DEVICE_INTERNALSERVICE_ERROR</p></td>
<td><p> There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.</p></td>
<td><p>80180006</p></td>
</tr>
<tr class="odd">
<td><p>a:</p></td>
<td><p>InvalidSecurity</p></td>
<td><p>MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</p></td>
<td><p>The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.</p></td>
<td><p>80180007</p></td>
</tr>
</tbody>
</table>
**Sample error messages**
- **Namespace**: `s:`
- **Subcode**: MessageFormat
- **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
- **Description**: Invalid message from the Mobile Device Management (MDM) server.
- **HRESULT**: 80180001
- **Namespace**: `s:`
- **Subcode**: Authentication
- **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR
- **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
- **HRESULT**: 80180002
- **Namespace**: `s:`
- **Subcode**: Authorization
- **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
- **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
- **HRESULT**: 80180003
- **Namespace**: `s:`
- **Subcode**: CertificateRequest
- **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
- **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
- **HRESULT**: 80180004
- **Namespace**: `s:`
- **Subcode**: EnrollmentServer
- **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
- **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
- **HRESULT**: 80180005
- **Namespace**: `a:`
- **Subcode**: InternalServiceFault
- **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
- **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
- **HRESULT**: 80180006
- **Namespace**: `a:`
- **Subcode**: InvalidSecurity
- **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
- **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
- **HRESULT**: 80180007
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
@ -212,66 +186,42 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
</s:envelope>
```
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Subcode</th>
<th>Error</th>
<th>Description</th>
<th>HRESULT</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>DeviceCapReached</p></td>
<td><p>MENROLL_E_DEVICECAPREACHED</p></td>
<td><p>The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.</p></td>
<td><p>80180013</p></td>
</tr>
<tr class="even">
<td><p>DeviceNotSupported</p></td>
<td><p>MENROLL_E_DEVICENOTSUPPORTED</p></td>
<td><p>The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.</p></td>
<td><p>80180014</p></td>
</tr>
<tr class="odd">
<td><p>NotSupported</p></td>
<td><p>MENROLL_E_NOT_SUPPORTED</p></td>
<td><p>Mobile Device Management (MDM) is generally not supported for this device.</p></td>
<td><p>80180015</p></td>
</tr>
<tr class="even">
<td><p>NotEligibleToRenew</p></td>
<td><p>MENROLL_E_NOTELIGIBLETORENEW</p></td>
<td><p>The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.</p></td>
<td><p>80180016</p></td>
</tr>
<tr class="odd">
<td><p>InMaintenance</p></td>
<td><p>MENROLL_E_INMAINTENANCE</p></td>
<td><p>The Mobile Device Management (MDM) server states your account is in maintenance, try again later.</p></td>
<td><p>80180017</p></td>
</tr>
<tr class="even">
<td><p>UserLicense</p></td>
<td><p>MENROLL_E_USER_LICENSE</p></td>
<td><p>There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.</p></td>
<td><p>80180018</p></td>
</tr>
<tr class="odd">
<td><p>InvalidEnrollmentData</p></td>
<td><p>MENROLL_E_ENROLLMENTDATAINVALID</p></td>
<td><p>The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.</p></td>
<td><p>80180019</p></td>
</tr>
</tbody>
</table>
**Sample error messages**
- **Subcode**: DeviceCapReached
- **Error**: MENROLL_E_DEVICECAPREACHED
- **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error.
- **HRESULT**: 80180013
- **Subcode**: DeviceNotSupported
- **Error**: MENROLL_E_DEVICENOTSUPPORTED
- **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device.
- **HRESULT**: 80180014
- **Subcode**: NotSupported
- **Error**: MENROLL_E_NOT_SUPPORTED
- **Description**: Mobile Device Management (MDM) is generally not supported for this device.
- **HRESULT**: 80180015
- **Subcode**: NotEligibleToRenew
- **Error**: MENROLL_E_NOTELIGIBLETORENEW
- **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
- **HRESULT**: 80180016
- **Subcode**: InMaintenance
- **Error**: MENROLL_E_INMAINTENANCE
- **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
- **HRESULT**: 80180017
- **Subcode**: UserLicense
- **Error**: MENROLL_E_USER_LICENSE
- **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
- **HRESULT**: 80180018
- **Subcode**: InvalidEnrollmentData
- **Error**: MENROLL_E_ENROLLMENTDATAINVALID
- **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
- **HRESULT**: 80180019
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
@ -280,4 +230,4 @@ TraceID is a freeform text node which is logged. It should identify the server s
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

55
windows/client-management/mdm/nap-csp.md
View File

@ -14,17 +14,16 @@ ms.date: 06/26/2017
# NAP CSP
The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections.
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
> [!Note]
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
For the NAP CSP, you cannot use the Replace command unless the node already exists.
The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
```
```console
./Vendor/MSFT
NAP
----*
@ -61,6 +60,7 @@ NAP
----------------Secure
----------------SecureLevel
```
<a href="" id="--vendor-msft-nap"></a>**./Vendor/MSFT/NAP**
Root node.
@ -87,34 +87,11 @@ Required. Specifies the type of address used to identify the destination network
The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>ADDRTYPE Value</th>
<th>Connection Type</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>E164</p></td>
<td><p>RAS connections</p></td>
</tr>
<tr class="even">
<td><p>APN</p></td>
<td><p>GPRS connections</p></td>
</tr>
<tr class="odd">
<td><p>ALPHA</p></td>
<td><p>Wi-Fi-based connections</p></td>
</tr>
</tbody>
</table>
 
|ADDRTYPE Value|Connection Type|
|--- |--- |
|E164|RAS connections|
|APN|GPRS connections|
|ALPHA|Wi-Fi-based connections|
<a href="" id="napx-authinfo"></a>***NAPX*/AuthInfo**
Optional node. Specifies the authentication information, including the protocol, user name, and password.
@ -136,17 +113,7 @@ Node.
<a href="" id="napx-bearer-bearertype"></a>***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi.
## Related topics
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

68
windows/client-management/mdm/napdef-csp.md
View File

@ -14,16 +14,12 @@ ms.date: 06/26/2017
# NAPDEF CSP
The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a.
> **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
> [!Note]
> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
@ -77,9 +73,8 @@ Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note
> **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
> [!Note]
> **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change.
<a href="" id="bearer"></a>**BEARER**
Specifies the type of bearer.
@ -124,54 +119,15 @@ The name of the *NAPID* element is the same as the value passed during initial b
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Parm-query</p></td>
<td><p>Yes</p>
<p>Note that some GPRS parameters will not necessarily contain the exact same value as was set.</p></td>
</tr>
<tr class="even">
<td><p>Noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
## Related topics
|Elements|Available|
|--- |--- |
|Parm-query|Yes <br>Note that some GPRS parameters will not necessarily contain the exact same value as was set.|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes|
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -29,7 +29,7 @@ The following actions are supported:
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
The following shows the NetworkQoSPolicy configuration service provider in tree format.
```

164
windows/client-management/mdm/office-csp.md
View File

@ -18,10 +18,11 @@ The Office configuration service provider (CSP) enables a Microsoft Office clien
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
For more information, see [Office DDF](office-ddf.md).
The following shows the Office configuration service provider in tree format.
```
```console
./Vendor/MSFT
Office
----Installation
@ -46,6 +47,7 @@ Office
------------Install
------------Status
```
<a href="" id="office"></a>**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.</p>
@ -78,7 +80,7 @@ Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- When status != 0: 60 (failed)
- When status!= 0: 60 (failed)
<a href="" id="currentstatus"></a>**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
@ -151,140 +153,22 @@ To get the current status of Office 365 on the device.
## Status code
<table>
<colgroup>
<col width="30%" />
<col width="50%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Status</th>
<th>Description</th>
<th>Comment</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Installation succeeded</td>
<td>OK</td>
</tr>
<tr>
<td>997</td>
<td>Installation in progress</td>
<td></td>
</tr>
<tr>
<td>13</td>
<td>ERROR_INVALID_DATA
<p>Cannot verify signature of the downloaded Office Deployment Tool (ODT)<p></td>
<td>Failure</td>
</tr>
<tr>
<td>1460</td>
<td>ERROR_TIMEOUT
<p>Failed to download ODT</p></td>
<td>Failure</td>
</tr>
<tr>
<td>1602 </td>
<td>ERROR_INSTALL_USEREXIT
<p>User cancelled the installation </p></td>
<td>Failure</td>
</tr>
<tr>
<td>1603</td>
<td>ERROR_INSTALL_FAILURE
<p>Failed any pre-req check.</p>
<ul>
<li>SxS (Tried to install when 2016 MSI is installed)</li>
<li>Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)</li>
</ul>
</td>
<td>Failure</td>
</tr>
<tr>
<td>17000</td>
<td>ERROR_PROCESSPOOL_INITIALIZATION
<p>Failed to start C2RClient </p></td>
<td>Failure</td>
</tr>
<tr>
<td>17001</td>
<td>ERROR_QUEUE_SCENARIO
<p>Failed to queue installation scenario in C2RClient</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17002</td>
<td>ERROR_COMPLETING_SCENARIO
<p>Failed to complete the process. Possible reasons:</p>
<ul>
<li>Installation cancelled by user</li>
<li>Installation cancelled by another installation</li>
<li>Out of disk space during installation </li>
<li>Unknown language ID</li>
</ul></td>
<td>Failure</td>
</tr>
<tr>
<td>17003</td>
<td>ERROR_ANOTHER_RUNNING_SCENARIO
<p>Another scenario is running</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17004</td>
<td>ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP
<p>Possible reasons:</p>
<ul>
<li>Unknown SKUs</li>
<li>Content does't exist on CDN
<ul><li>such as trying to install an unsupported LAP, like zh-sg</li>
<li>CDN issue that content is not available</li></ul>
</li>
<li>Signature check issue, such as failed the signature check for Office content</li>
<li>User cancelled
</ul>
</td>
<td>Failure</td>
</tr>
<tr>
<td>17005</td>
<td>ERROR_SCENARIO_CANCELLED_AS_PLANNED</td>
<td>Failure</td>
</tr>
<tr>
<td>17006</td>
<td>ERROR_SCENARIO_CANCELLED
<p>Blocked update by running apps</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17007</td>
<td>ERROR_REMOVE_INSTALLATION_NEEDED
<p>The client is requesting client clean up in a "Remove Installation" scenario</p></td>
<td>Failure</td>
</tr>
<tr>
<td>17100</td>
<td>ERROR_HANDLING_COMMAND_LINE
<p>C2RClient command line error </p></td>
<td>Failure</td>
</tr>
<tr>
<td>0x80004005</td>
<td>E_FAIL
<p>ODT cannot be used to install Volume license</p></td>
<td>Failure</td>
</tr>
<tr>
<td>0x8000ffff </td>
<td>E_UNEXPECTED
<p>Tried to uninstall when there is no C2R Office on the machine.</p></td>
<td>Failure</td>
</tr>
</tbody>
</table>
|Status|Description|Comment|
|--- |--- |--- |
|0|Installation succeeded|OK|
|997|Installation in progress||
|13|ERROR_INVALID_DATA <br>Cannot verify signature of the downloaded Office Deployment Tool (ODT)|Failure|
|1460|ERROR_TIMEOUT <br>Failed to download ODT|Failure|
|1602|ERROR_INSTALL_USEREXIT <br>User canceled the installation|Failure|
|1603|ERROR_INSTALL_FAILURE<br>Failed any pre-req check.<li>SxS (Tried to install when 2016 MSI is installed)<li>Bit mismatch between the currently installed Office and the Office that was attempting to be installed (such as when you try to install a 32-bit version while 64-bit version is currently installed.)|Failure|
|17000|ERROR_PROCESSPOOL_INITIALIZATION <br/>Failed to start C2RClient|Failure|
|17001|ERROR_QUEUE_SCENARIO <br/>Failed to queue installation scenario in C2RClient|Failure|
|17002|ERROR_COMPLETING_SCENARIO <br>Failed to complete the process. Possible reasons:<li>Installation canceled by user<li>Installation canceled by another installation<li>Out of disk space during installation <li>Unknown language ID|Failure|
|17003|ERROR_ANOTHER_RUNNING_SCENARIO <br>Another scenario is running|Failure|
|17004|ERROR_COMPLETING_SCENARIO_NEED_CLEAN_UP<br>Possible reasons:<li>Unknown SKUs<li>Content does't exist on CDN<ul><li>Such as trying to install an unsupported LAP, like zh-sg<li>CDN issue that content is not available</li></ul><li>Signature check issue, such as failed the signature check for Office content<li>User canceled|Failure|
|17005|ERROR_SCENARIO_CANCELLED_AS_PLANNED|Failure|
|17006|ERROR_SCENARIO_CANCELLED<br>Blocked update by running apps|Failure|
|17007|ERROR_REMOVE_INSTALLATION_NEEDED<br>The client is requesting client clean-up in a "Remove Installation" scenario|Failure|
|17100|ERROR_HANDLING_COMMAND_LINE<br>C2RClient command-line error|Failure|
|0x80004005|E_FAIL <br>ODT cannot be used to install Volume license|Failure|
|0x8000ffff|E_UNEXPECTED<br>Tried to uninstall when there is no C2R Office on the machine.|Failure|

380
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -17,131 +17,21 @@ ms.date: 06/26/2017
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf).
## In this topic
- [OMA DM standards](#oma-dm-standards)
- [OMA DM protocol common elements](#protocol-common-elements)
- [Device management session](#device-management-session)
- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration)
- [SyncML response codes](#syncml-response-codes)
## OMA DM standards
The following table shows the OMA DM standards that Windows uses.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>General area</th>
<th>OMA DM standard that is supported</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Data transport and session</p></td>
<td><ul>
<li><p>Client-initiated remote HTTPS DM session over SSL.</p></li>
<li><p>Remote HTTPS DM session over SSL.</p></li>
<li><p>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.</p></li>
<li><p>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.</p></li>
</ul></td>
</tr>
<tr class="even">
<td><p>Bootstrap XML</p></td>
<td><ul>
<li><p>OMA Client Provisioning XML.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>DM protocol commands</p></td>
<td><p>The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see &quot;SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)&quot; available from the <a href="https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/" data-raw-source="[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)">OMA website</a>.</p>
<ul>
<li><p>Add (Implicit Add supported)</p></li>
<li><p>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.</p></li>
<li><p>Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.</p></li>
<li><p>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists</p></li>
<li><p>Exec: Invokes an executable on the client device</p></li>
<li><p>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format</p></li>
<li><p>Replace: Overwrites data on the client device</p></li>
<li><p>Result: Returns the data results of a Get command to the DM server</p></li>
<li><p>Sequence: Specifies the order in which a group of commands must be processed</p></li>
<li><p>Status: Indicates the completion status (success or failure) of an operation</p></li>
</ul>
<p>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:</p>
<ul>
<li><p>SyncBody</p></li>
<li><p>Atomic</p></li>
<li><p>Sequence</p></li>
</ul>
<p>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.</p>
<p>If Atomic elements are nested, the following status codes are returned:</p>
<ul>
<li><p>The nested Atomic command returns 500.</p></li>
<li><p>The parent Atomic command returns 507.</p></li>
</ul>
<p>For more information about the Atomic command, see OMA DM protocol common elements.</p>
<p>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.</p>
<p>LocURI cannot start with &quot;/&quot;.</p>
<p>Meta XML tag in SyncHdr is ignored by the device.</p></td>
</tr>
<tr class="even">
<td><p>OMA DM standard objects</p></td>
<td><ul>
<li><p>DevInfo</p></li>
<li><p>DevDetail</p></li>
<li><p>OMA DM DMS account objects (OMA DM version 1.2)</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>Security</p></td>
<td><ul>
<li><p>Authenticate DM server initiation notification SMS message (not used by enterprise management)</p></li>
<li><p>Application layer Basic and MD5 client authentication</p></li>
<li><p>Authenticate server with MD5 credential at application level</p></li>
<li><p>Data integrity and authentication with HMAC at application level</p></li>
<li><p>SSL level certificate based client/server authentication, encryption, and data integrity check</p></li>
</ul></td>
</tr>
<tr class="even">
<td><p>Nodes</p></td>
<td><p>In the OMA DM tree, the following rules apply for the node name:</p>
<ul>
<li><p>&quot;.&quot; can be part of the node name.</p></li>
<li><p>The node name cannot be empty.</p></li>
<li><p>The node name cannot be only the asterisk (*) character.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>Provisioning Files</p></td>
<td><p>Provisioning XML must be well formed and follow the definition in <a href="https://go.microsoft.com/fwlink/p/?LinkId=526905" data-raw-source="[SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905)">SyncML Representation Protocol</a> specification.</p>
<p>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.</p>
<div class="alert">
<strong>Note</strong><br/><p>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</p>
</div>
<div>
</div></td>
</tr>
<tr class="even">
<td><p>WBXML support</p></td>
<td><p>Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the <a href="https://go.microsoft.com/fwlink/p/?LinkId=526905" data-raw-source="[SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905)">SyncML Representation Protocol</a> specification.</p></td>
</tr>
<tr class="odd">
<td><p>Handling of large objects</p></td>
<td><p>In Windows 10, version 1511, client support for uploading large objects to the server was added.</p></td>
</tr>
</tbody>
</table>
|General area|OMA DM standard that is supported|
|--- |--- |
|Data transport and session|<li>Client-initiated remote HTTPS DM session over SSL.<li>Remote HTTPS DM session over SSL.<li>Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.<li>Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.|
|Bootstrap XML|OMA Client Provisioning XML.|
|DM protocol commands|The following list shows the commands that are used by the device. For more information about the OMA DM command elements, see "[OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/)" available from the OMA website.<br/><li>Add (Implicit Add supported)<li>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.<li>Atomic: Performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.<li>Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists<li>Exec: Invokes an executable on the client device<li>Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format<li>Replace: Overwrites data on the client device<li>Result: Returns the data results of a Get command to the DM server<li>Sequence: Specifies the order in which a group of commands must be processed<li>Status: Indicates the completion status (success or failure) of an operation<br/><br/>If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:<br/><li>SyncBody<li>Atomic<li>Sequence<br><br/>If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.<br/><br/>If Atomic elements are nested, the following status codes are returned:<br/><li>The nested Atomic command returns 500.<li>The parent Atomic command returns 507.<br/><br/>For more information about the Atomic command, see OMA DM protocol common elements.<br>Performing an Add command followed by Replace on the same node within an Atomic element is not supported.<br><br/>LocURI cannot start with `/`.<br/><br/>Meta XML tag in SyncHdr is ignored by the device.|
|OMA DM standard objects|DevInfo<li>DevDetail<li>OMA DM DMS account objects (OMA DM version 1.2)|
|Security|<li>Authenticate DM server initiation notification SMS message (not used by enterprise management)<li>Application layer Basic and MD5 client authentication<li>Authenticate server with MD5 credential at application level<li>Data integrity and authentication with HMAC at application level<li>SSL level certificate-based client/server authentication, encryption, and data integrity check|
|Nodes|In the OMA DM tree, the following rules apply for the node name:<br/><li>"." can be part of the node name.<li>The node name cannot be empty.<li>The node name cannot be only the asterisk (*) character.|
|Provisioning Files|Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905).<br/><br/>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.<div class="alert">**Note**<br>To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.</div>|
|WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.|
|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.|
<a href="" id="protocol-common-elements"></a>
@ -149,99 +39,26 @@ The following table shows the OMA DM standards that Windows uses.
Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Chal</p></td>
<td><p>Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.</p></td>
</tr>
<tr class="even">
<td><p>Cmd</p></td>
<td><p>Specifies the name of an OMA DM command referenced in a Status element.</p></td>
</tr>
<tr class="odd">
<td><p>CmdID</p></td>
<td><p>Specifies the unique identifier for an OMA DM command.</p></td>
</tr>
<tr class="even">
<td><p>CmdRef</p></td>
<td><p>Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.</p></td>
</tr>
<tr class="odd">
<td><p>Cred</p></td>
<td><p>Specifies the authentication credential for the originator of the message.</p></td>
</tr>
<tr class="even">
<td><p>Final</p></td>
<td><p>Indicates that the current message is the last message in the package.</p></td>
</tr>
<tr class="odd">
<td><p>LocName</p></td>
<td><p>Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.</p></td>
</tr>
<tr class="even">
<td><p>LocURI</p></td>
<td><p>Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.</p></td>
</tr>
<tr class="odd">
<td><p>MsgID</p></td>
<td><p>Specifies a unique identifier for an OMA DM session message.</p></td>
</tr>
<tr class="even">
<td><p>MsgRef</p></td>
<td><p>Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.</p></td>
</tr>
<tr class="odd">
<td><p>RespURI</p></td>
<td><p>Specifies the URI that the recipient must use when sending a response to this message.</p></td>
</tr>
<tr class="even">
<td><p>SessionID</p></td>
<td><p>Specifies the identifier of the OMA DM session associated with the containing message.</p>
<div class="alert">
<strong>Note</strong> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
</div>
<div>
</div></td>
</tr>
<tr class="odd">
<td><p>Source</p></td>
<td><p>Specifies the message source address.</p></td>
</tr>
<tr class="even">
<td><p>SourceRef</p></td>
<td><p>Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.</p></td>
</tr>
<tr class="odd">
<td><p>Target</p></td>
<td><p>Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.</p></td>
</tr>
<tr class="even">
<td><p>TargetRef</p></td>
<td><p>Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.</p></td>
</tr>
<tr class="odd">
<td><p>VerDTD</p></td>
<td><p>Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.</p></td>
</tr>
<tr class="even">
<td><p>VerProto</p></td>
<td><p>Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.</p></td>
</tr>
</tbody>
</table>
|Element|Description|
|--- |--- |
|Chal|Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.|
|Cmd|Specifies the name of an OMA DM command referenced in a Status element.|
|CmdID|Specifies the unique identifier for an OMA DM command.|
|CmdRef|Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.|
|Cred|Specifies the authentication credential for the originator of the message.|
|Final|Indicates that the current message is the last message in the package.|
|LocName|Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.|
|LocURI|Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.|
|MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.</div>|
|Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|
|TargetRef|Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.|
|VerDTD|Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.|
|VerProto|Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.|
## Device management session
@ -255,56 +72,25 @@ A DM session can be divided into two phases:
1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table.
2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table.
The following table shows the sequence of events during a typical DM session.
The following information shows the sequence of events during a typical DM session.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Step</th>
<th>Action</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>1</p></td>
<td><p>DM client is invoked to call back to the management server</p>
<p>Enterprise scenario The device task schedule invokes the DM client.</p></td>
<td><p>The MO server sends a server trigger message to invoke the DM client.</p>
<p>The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.</p>
<p>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.</p></td>
</tr>
<tr class="even">
<td><p>2</p></td>
<td><p>The device sends a message, over an IP connection, to initiate the session.</p></td>
<td><p>This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.</p></td>
</tr>
<tr class="odd">
<td><p>3</p></td>
<td><p>The DM server responds, over an IP connection (HTTPS).</p></td>
<td><p>The server sends initial device management commands, if any.</p></td>
</tr>
<tr class="even">
<td><p>4</p></td>
<td><p>The device responds to server management commands.</p></td>
<td><p>This message includes the results of performing the specified device management operations.</p></td>
</tr>
<tr class="odd">
<td><p>5</p></td>
<td><p>The DM server terminates the session or sends another command.</p></td>
<td><p>The DM session ends, or Step 4 is repeated.</p></td>
</tr>
</tbody>
</table>
1. DM client is invoked to call back to the management server<br><br>Enterprise scenario The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.<br><br>Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (DM_RepPro-V1_2-20070209-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
2. The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any.
4. The device responds to server management commands. This message includes the results of performing the specified device management operations.
5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated.
The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/).
During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
@ -319,24 +105,24 @@ For CSPs and policies that support per user configuration, the MDM server can se
The data part of this alert could be one of following strings:
- user the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
- others another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
- none no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
- User the user that enrolled the device is actively logged in. The MDM server could send user-specific configuration for CSPs/policies that support per user configuration
- Others another user login but that user does not have an MDM account. The server can only apply device-wide configuration, for example, configuration applies to all users in the device.
- None no active user login. The server can only apply device-wide configuration and available configuration is restricted to the device environment (no active user login).
Below is an alert example:
```
```xml
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
```
The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management nodes LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration.
@ -351,37 +137,27 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.
| Status code | Description |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| Status code | Description |
|---|----|
| 200 | The SyncML command completed successfully. |
| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. |
| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. |
| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 214 | Operation canceled. The SyncML command completed successfully, but no more commands will be processed within the session. |
| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. |
| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. |
| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. |
| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. |
| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. |
| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. |
| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. |
| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. |
| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. |
| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. |
| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. |
| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. |
| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. |
| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. |
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

61
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -38,33 +38,13 @@ manager: dansimp
<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -105,28 +85,13 @@ The following list shows the supported values:
<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td><td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes, starting in Windows 10, version 1607</td><td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes, starting in Windows 10, version 1607|Yes|
|Enterprise|Yes, starting in Windows 10, version 1607|Yes|
|Education|Yes, starting in Windows 10, version 1607|Yes|
<!--/SupportedSKUs-->
<hr/>

150
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -40,43 +40,15 @@ manager: dansimp
<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -114,48 +86,16 @@ The following list shows the supported values:
<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -190,48 +130,16 @@ The following list shows the supported values:
<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Mobile Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

32
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -40,31 +40,13 @@ manager: dansimp
<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td><td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

33
windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
View File

@ -40,31 +40,14 @@ manager: dansimp
<a href="" id="admx-activexinstallservice-axisurlzonepolicies"></a>**ADMX_ActiveXInstallService/AxISURLZonePolicies**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

411
windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
View File

@ -70,20 +70,10 @@ manager: dansimp
<a href="" id="admx-addremoveprograms-defaultcategory"></a>**ADMX_AddRemovePrograms/DefaultCategory**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
<!--/SupportedSKUs-->
<hr/>
@ -135,34 +125,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfromcdorfloppy"></a>**ADMX_AddRemovePrograms/NoAddFromCDorFloppy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|||
|Enterprise|Yes|Yes|
|Education|||
<!--/SupportedSKUs-->
<hr/>
@ -212,38 +182,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfrominternet"></a>**ADMX_AddRemovePrograms/NoAddFromInternet**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -294,38 +240,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddfromnetwork"></a>**ADMX_AddRemovePrograms/NoAddFromNetwork**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -377,38 +299,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddpage"></a>**ADMX_AddRemovePrograms/NoAddPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -456,38 +354,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noaddremoveprograms"></a>**ADMX_AddRemovePrograms/NoAddRemovePrograms**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -535,38 +409,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nochooseprogramspage"></a>**ADMX_AddRemovePrograms/NoChooseProgramsPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -615,37 +465,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noremovepage"></a>**ADMX_AddRemovePrograms/NoRemovePage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -693,38 +520,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-noservices"></a>**ADMX_AddRemovePrograms/NoServices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -775,38 +578,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nosupportinfo"></a>**ADMX_AddRemovePrograms/NoSupportInfo**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -856,38 +635,14 @@ ADMX Info:
<a href="" id="admx-addremoveprograms-nowindowssetuppage"></a>**ADMX_AddRemovePrograms/NoWindowsSetupPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

128
windows/client-management/mdm/policy-csp-admx-admpwd.md
View File

@ -49,31 +49,13 @@ manager: dansimp
<a href="" id="admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy"></a>**ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -109,31 +91,13 @@ ADMX Info:
<a href="" id="admx-admpwd-pol_admpwd_enabled"></a>**ADMX_AdmPwd/POL_AdmPwd_Enabled**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -172,31 +136,13 @@ ADMX Info:
<a href="" id="admx-admpwd-pol_admpwd_adminname"></a>**ADMX_AdmPwd/POL_AdmPwd_AdminName**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -235,31 +181,13 @@ ADMX Info:
<a href="" id="admx-admpwd-pol_admpwd"></a>**ADMX_AdmPwd/POL_AdmPwd**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

356
windows/client-management/mdm/policy-csp-admx-appcompat.md
View File

@ -72,36 +72,14 @@ manager: dansimp
<a href="" id="admx-appcompat-appcompatprevent16bitmach"></a>**ADMX_AppCompat/AppCompatPrevent16BitMach**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -147,38 +125,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatremoveprogramcompatproppage"></a>**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -218,38 +172,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffapplicationimpacttelemetry"></a>**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -293,38 +223,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffswitchback"></a>**ADMX_AppCompat/AppCompatTurnOffSwitchBack**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -369,37 +275,13 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffengine"></a>**ADMX_AppCompat/AppCompatTurnOffEngine**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -446,38 +328,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1"></a>**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -513,38 +371,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2"></a>**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -587,38 +421,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffuseractionrecord"></a>**ADMX_AppCompat/AppCompatTurnOffUserActionRecord**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -660,38 +470,14 @@ ADMX Info:
<a href="" id="admx-appcompat-appcompatturnoffprograminventory"></a>**ADMX_AppCompat/AppCompatTurnOffProgramInventory**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

40
windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
View File

@ -39,38 +39,14 @@ manager: dansimp
<a href="" id="admx-appxpackagemanager-allowdeploymentinspecialprofiles"></a>**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

159
windows/client-management/mdm/policy-csp-admx-appxruntime.md
View File

@ -48,37 +48,14 @@ manager: dansimp
<a href="" id="admx-appxruntime-appxruntimeapplicationcontenturirules"></a>**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -117,38 +94,14 @@ ADMX Info:
<a href="" id="admx-appxruntime-appxruntimeblockfileelevation"></a>**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -187,38 +140,14 @@ ADMX Info:
<a href="" id="admx-appxruntime-appxruntimeblockhostedappaccesswinrt"></a>**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -259,38 +188,14 @@ ADMX Info:
<a href="" id="admx-appxruntime-appxruntimeblockprotocolelevation"></a>**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

199
windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
View File

@ -51,38 +51,14 @@ manager: dansimp
<a href="" id="admx-attachmentmanager-am-estimatefilehandlerrisk"></a>**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -126,37 +102,14 @@ ADMX Info:
<a href="" id="admx-attachmentmanager-am-setfilerisklevel"></a>**ADMX_AttachmentManager/AM_SetFileRiskLevel**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes
<!--/SupportedSKUs-->
<hr/>
@ -202,38 +155,14 @@ ADMX Info:
<a href="" id="admx-attachmentmanager-am-sethighriskinclusion"></a>**ADMX_AttachmentManager/AM_SetHighRiskInclusion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -273,38 +202,14 @@ ADMX Info:
<a href="" id="admx-attachmentmanager-am-setlowriskinclusion"></a>**ADMX_AttachmentManager/AM_SetLowRiskInclusion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -344,38 +249,14 @@ ADMX Info:
<a href="" id="admx-attachmentmanager-am-setmodriskinclusion"></a>**ADMX_AttachmentManager/AM_SetModRiskInclusion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

40
windows/client-management/mdm/policy-csp-admx-auditsettings.md
View File

@ -39,38 +39,14 @@ manager: dansimp
<a href="" id="admx-auditsettings-includecmdline"></a>**ADMX_AuditSettings/IncludeCmdLine**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

560
windows/client-management/mdm/policy-csp-admx-bits.md
View File

@ -78,38 +78,14 @@ manager: dansimp
<a href="" id="admx-bits-bits-disablebranchcache"></a>**ADMX_Bits/BITS_DisableBranchCache**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -150,38 +126,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-disablepeercachingclient"></a>**ADMX_Bits/BITS_DisablePeercachingClient**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -223,38 +175,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-disablepeercachingserver"></a>**ADMX_Bits/BITS_DisablePeercachingServer**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -297,38 +225,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-enablepeercaching"></a>**ADMX_Bits/BITS_EnablePeercaching**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -370,38 +274,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxbandwidthservedforpeers"></a>**ADMX_Bits/BITS_MaxBandwidthServedForPeers**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -446,38 +326,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxbandwidthv2-maintenance"></a>**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -521,38 +377,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxbandwidthv2-work"></a>**ADMX_Bits/BITS_MaxBandwidthV2_Work**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -593,38 +425,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxcachesize"></a>**ADMX_Bits/BITS_MaxCacheSize**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -665,38 +473,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxcontentage"></a>**ADMX_Bits/BITS_MaxContentAge**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -737,38 +521,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxdownloadtime"></a>**ADMX_Bits/BITS_MaxDownloadTime**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -811,38 +571,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxfilesperjob"></a>**ADMX_Bits/BITS_MaxFilesPerJob**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -884,38 +620,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxjobspermachine"></a>**ADMX_Bits/BITS_MaxJobsPerMachine**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -957,38 +669,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxjobsperuser"></a>**ADMX_Bits/BITS_MaxJobsPerUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -1030,38 +718,14 @@ ADMX Info:
<a href="" id="admx-bits-bits-maxrangesperfile"></a>**ADMX_Bits/BITS_MaxRangesPerFile**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

80
windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
View File

@ -42,38 +42,14 @@ manager: dansimp
<a href="" id="admx-ciphersuiteorder-sslciphersuiteorder"></a>**ADMX_CipherSuiteOrder/SSLCipherSuiteOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -116,38 +92,14 @@ ADMX Info:
<a href="" id="admx-ciphersuiteorder-sslcurveorder"></a>**ADMX_CipherSuiteOrder/SSLCurveOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

80
windows/client-management/mdm/policy-csp-admx-com.md
View File

@ -42,38 +42,14 @@ manager: dansimp
<a href="" id="admx-com-appmgmt-com-searchforclsid-1"></a>**ADMX_COM/AppMgmt_COM_SearchForCLSID_1**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -118,38 +94,14 @@ ADMX Info:
<a href="" id="admx-com-appmgmt-com-searchforclsid-2"></a>**ADMX_COM/AppMgmt_COM_SearchForCLSID_2**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

164
windows/client-management/mdm/policy-csp-admx-controlpanel.md
View File

@ -48,38 +48,14 @@ manager: dansimp
<a href="" id="admx-controlpanel-disallowcpls"></a>**ADMX_ControlPanel/DisallowCpls**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -126,38 +102,14 @@ ADMX Info:
<a href="" id="admx-controlpanel-forceclassiccontrolpanel"></a>**ADMX_ControlPanel/ForceClassicControlPanel**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -201,38 +153,14 @@ ADMX Info:
<a href="" id="admx-controlpanel-nocontrolpanel"></a>**ADMX_ControlPanel/NoControlPanel**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -283,42 +211,14 @@ ADMX Info:
<a href="" id="admx-controlpanel-restrictcpls"></a>**ADMX_ControlPanel/RestrictCpls**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

1075
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

File diff suppressed because it is too large Load Diff

45
windows/client-management/mdm/policy-csp-admx-cpls.md
View File

@ -39,43 +39,14 @@ manager: dansimp
<a href="" id="admx-cpls-usedefaulttile"></a>**ADMX_Cpls/UseDefaultTile**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

136
windows/client-management/mdm/policy-csp-admx-credentialproviders.md
View File

@ -45,43 +45,15 @@ manager: dansimp
<a href="" id="admx-credentialproviders-allowdomaindelaylock"></a>**ADMX_CredentialProviders/AllowDomainDelayLock**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11<th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -124,43 +96,14 @@ ADMX Info:
<a href="" id="admx-credentialproviders-defaultcredentialprovider"></a>**ADMX_CredentialProviders/DefaultCredentialProvider**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -202,43 +145,14 @@ ADMX Info:
<a href="" id="admx-credentialproviders-excludedcredentialproviders"></a>**ADMX_CredentialProviders/ExcludedCredentialProviders**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

494
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -69,42 +69,14 @@ manager: dansimp
<a href="" id="admx-credssp-allowdefcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -154,43 +126,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowdefaultcredentials"></a>**ADMX_CredSsp/AllowDefaultCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -244,43 +187,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowencryptionoracle"></a>**ADMX_CredSsp/AllowEncryptionOracle**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -329,43 +243,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowfreshcredentials"></a>**ADMX_CredSsp/AllowFreshCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -416,43 +301,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowfreshcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -503,43 +359,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowsavedcredentials"></a>**ADMX_CredSsp/AllowSavedCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -590,43 +417,14 @@ ADMX Info:
<a href="" id="admx-credssp-allowsavedcredentialswhenntlmonly"></a>**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -677,43 +475,14 @@ ADMX Info:
<a href="" id="admx-credssp-denydefaultcredentials"></a>**ADMX_CredSsp/DenyDefaultCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -762,43 +531,14 @@ ADMX Info:
<a href="" id="admx-credssp-denyfreshcredentials"></a>**ADMX_CredSsp/DenyFreshCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -847,43 +587,14 @@ ADMX Info:
<a href="" id="admx-credssp-denysavedcredentials"></a>**ADMX_CredSsp/DenySavedCredentials**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -932,43 +643,14 @@ ADMX Info:
<a href="" id="admx-credssp-restrictedremoteadministration"></a>**ADMX_CredSsp/RestrictedRemoteAdministration**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

90
windows/client-management/mdm/policy-csp-admx-credui.md
View File

@ -42,43 +42,14 @@ manager: dansimp
<a href="" id="admx-credui-enablesecurecredentialprompting"></a>**ADMX_CredUI/EnableSecureCredentialPrompting**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -119,43 +90,14 @@ ADMX Info:
<a href="" id="admx-credui-nolocalpasswordresetquestions"></a>**ADMX_CredUI/NoLocalPasswordResetQuestions**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>No</td>
</tr>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

6
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -507,10 +507,10 @@ ADMX Info:
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
Disabled (Default):
Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance.
Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance.
Enabled:
Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
Microsoft Defender Antivirus will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
Not configured:
Same as Disabled.
@ -1415,7 +1415,7 @@ ADMX Info:
Enable or disable file hash computation feature.
Enabled:
When this feature is enabled Microsoft Defender will compute hash value for files it scans.
When this feature is enabled Microsoft Defender Antivirus will compute hash value for files it scans.
Disabled:
File hash value is not computed

7
windows/client-management/mdm/policy-csp-experience.md
View File

@ -846,8 +846,8 @@ The following list shows the supported values:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Home|No|Yes|
|Pro|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@ -874,6 +874,9 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
- 2 - Hide: The Chat icon will be hidden by default. Users can show or hide it in Settings.
- 3 - Disabled: The Chat icon will not be displayed, and users cannot show or hide it in Settings.
> [!NOTE]
> Option 1 (Show) and Option 2 (Hide) only work on the first sign-in attempt. Option 3 (Disabled) works on all attempts.
<!--/SupportedValues-->
<!--/Policy-->

2
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -3564,7 +3564,7 @@ The options are:
- 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled.
> [!NOTE]
> If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
> If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced.
- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

2
windows/client-management/mdm/policy-csp-update.md
View File

@ -2141,7 +2141,7 @@ Do not allow update deferral policies to cause scans against Windows Update. If
For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607).
This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
This is the same as the Group Policy in Windows Components > Windows Update "Do not allow update deferral policies to cause scans against Windows Update."
Value type is integer. Supported operations are Add, Get, Replace, and Delete.

15
windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
View File

@ -210,7 +210,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
<!--/Description-->
<!--ADMXMapped-->
@ -282,7 +282,7 @@ Valid values:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@ -444,7 +444,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
<!--/Description-->
<!--ADMXMapped-->
@ -593,7 +593,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@ -667,7 +667,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@ -741,7 +741,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@ -977,7 +977,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows defender Security Center will display this area.
Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or do not configure this setting, Windows Defender Security Center will display this area.
Value type is integer. Supported operations are Add, Get, Replace and Delete.
@ -1733,4 +1733,3 @@ ADMX Info:
<hr/>
<!--/Policies-->

2
windows/client-management/mdm/surfacehub-csp.md
View File

@ -295,7 +295,7 @@ SurfaceHub
<p>The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**
<p>Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
<p>Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
<p>The data type is string. Supported operation is Get and Replace.

2
windows/client-management/mdm/understanding-admx-backed-policies.md
View File

@ -19,7 +19,7 @@ Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy confi
## <a href="" id="background"></a>Background
In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)).
In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)).
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:

7
windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
View File

@ -171,12 +171,11 @@ Heres a table describing this relationship, using the PowerShell example from
| ProvisioningCommands/DeviceContext/CommandFiles | PowerShell_Example.bat | The single orchestrator script referenced by the command line that handles calling into the required installers or performing any other actions such as expanding cab files. This script must do the required logging. |
| ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example, there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
### Add script to provisioning package
When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer.
Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to:
When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Windows Configuration Designer.
Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to:
```bat
cmd /c InstallMyApp.bat

36
windows/deployment/deploy-windows-mdt/TOC.yml
View File

@ -1,23 +1,23 @@
- name: Deploy Windows 11 with the Microsoft Deployment Toolkit (MDT)
- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
items:
- name: Get started with MDT
href: get-started-with-the-microsoft-deployment-toolkit.md
- name: Deploy Windows 11 with MDT
- name: Deploy Windows 10 with MDT
items:
- name: Prepare for deployment with MDT
href: prepare-for-windows-deployment-with-mdt.md
- name: Create a Windows 11 reference image
href: create-a-windows-11-reference-image.md
- name: Deploy a Windows 11 image using MDT
href: deploy-a-windows-11-image-using-mdt.md
- name: Build a distributed environment for Windows 11 deployment
href: build-a-distributed-environment-for-windows-deployment.md
- name: Refresh a Windows 10 computer with Windows 11
href: refresh-a-windows-10-computer-with-windows-11.md
- name: Replace a Windows 10 computer with a Windows 11 computer
href: replace-a-windows-10-computer-with-a-windows-11-computer.md
- name: Perform an in-place upgrade to Windows 11 with MDT
href: upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md
- name: Create a Windows 10 reference image
href: create-a-windows-10-reference-image.md
- name: Deploy a Windows 10 image using MDT
href: deploy-a-windows-10-image-using-mdt.md
- name: Build a distributed environment for Windows 10 deployment
href: build-a-distributed-environment-for-windows-10-deployment.md
- name: Refresh a Windows 7 computer with Windows 10
href: refresh-a-windows-7-computer-with-windows-10.md
- name: Replace a Windows 7 computer with a Windows 10 computer
href: replace-a-windows-7-computer-with-a-windows-10-computer.md
- name: Perform an in-place upgrade to Windows 10 with MDT
href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
- name: Customize MDT
items:
- name: Configure MDT settings
@ -28,10 +28,10 @@
href: configure-mdt-deployment-share-rules.md
- name: Configure MDT for UserExit scripts
href: configure-mdt-for-userexit-scripts.md
- name: Simulate a Windows 11 deployment in a test environment
href: simulate-a-windows-11-deployment-in-a-test-environment.md
- name: Use the MDT database to stage Windows deployment information
href: use-the-mdt-database-to-stage-windows-deployment-information.md
- name: Simulate a Windows 10 deployment in a test environment
href: simulate-a-windows-10-deployment-in-a-test-environment.md
- name: Use the MDT database to stage Windows 10 deployment information
href: use-the-mdt-database-to-stage-windows-10-deployment-information.md
- name: Assign applications using roles in MDT
href: assign-applications-using-roles-in-mdt.md
- name: Use web services in MDT

4
windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
View File

@ -18,10 +18,6 @@ ms.topic: article
# Assign applications using roles in MDT
**Applies to**
- Windows 10
- Windows 11
This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
## <a href="" id="sec01"></a>Create and assign a role entry in the database

45
windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-deployment.md → windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
View File

@ -1,12 +1,12 @@
---
title: Build a distributed environment for Windows 11 deployment (Windows 11)
description: In this topic, you will learn how to replicate your Windows 11 deployment shares to facilitate the deployment of Windows 11 in remote or branch locations.
title: Build a distributed environment for Windows 10 deployment (Windows 10)
description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: replication, replicate, deploy, configure, remote
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -16,13 +16,12 @@ author: greg-lindsay
ms.topic: article
---
# Build a distributed environment for Windows 11 deployment
# Build a distributed environment for Windows 10 deployment
**Applies to**
- Windows 10
- Windows 11
- Windows 10
Perform the steps in this article to build a distributed environment for Windows 11 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
@ -32,7 +31,7 @@ For the purposes of this article, we assume that MDT02 is prepared with the same
Computers used in this topic.
> HV01 is also used in this topic to host the PC0006 virtual machine.
>HV01 is also used in this topic to host the PC0006 virtual machine.
## Replicate deployment shares
@ -63,7 +62,7 @@ On **MDT01**:
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
@ -83,7 +82,7 @@ On **MDT02**:
Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
```
2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
```output
PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
@ -120,7 +119,7 @@ When you have multiple deployment servers sharing the same content, you need to
On **MDT01**:
1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the default gateway of client devices in your locations (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
```ini
[Settings]
@ -142,8 +141,8 @@ On **MDT01**:
UserPassword=pass@word1
SkipBDDWelcome=YES
```
> [!NOTE]
> The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md) and [Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md).
>[!NOTE]
>The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the Bootstrap.ini file.
3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
@ -154,8 +153,8 @@ On **MDT01**:
Replacing the updated boot image in WDS.
> [!TIP]
> If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
>[!TIP]
>If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
## Replicate the content
@ -228,7 +227,7 @@ On **MDT02**:
The DFS Replication Health Report.
> If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
## Configure Windows Deployment Services (WDS) in a remote site
@ -251,19 +250,21 @@ Now you should have a solution ready for deploying the Windows 10 client to the
6. Install an operating system from a network-based installation server
2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0006
3. Applications: Select the Install - Adobe Reader
4. Setup will now start and perform the following:
1. Install the Windows 11 Enterprise operating system.
1. Install the Windows 10 Enterprise operating system.
2. Install applications.
3. Update the operating system using your local Windows Server Update Services (WSUS) server.
![pc0001.](../images/pc0006.png)
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)<br>
[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)<br>
[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)<br>
[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)

4
windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
View File

@ -18,10 +18,6 @@ ms.topic: article
# Configure MDT deployment share rules
**Applies to**
- Windows 10
- Windows 11
In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
## <a href="" id="sec01"></a>Assign settings

4
windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
View File

@ -18,10 +18,6 @@ ms.topic: article
# Configure MDT for UserExit scripts
**Applies to**
- Windows 10
- Windows 11
In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
## Configure the rules to call a UserExit script

4
windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
View File

@ -18,10 +18,6 @@ ms.topic: article
# Configure MDT settings
**Applies to**
- Windows 10
- Windows 11
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).

168
windows/deployment/deploy-windows-mdt/create-a-windows-11-reference-image.md → windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -1,12 +1,12 @@
---
title: Create a Windows 11 reference image (Windows 11)
title: Create a Windows 10 reference image (Windows 10)
description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deploy, deployment, configure, customize, install, installation
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -16,25 +16,22 @@ author: greg-lindsay
ms.topic: article
---
# Create a Windows 11 reference image
# Create a Windows 10 reference image
**Applies to**
- Windows 10
- Windows 11
In this topic, you will learn how to create a Windows 11 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 11 reference image. After completing the steps outlined in this topic, you will have a Windows 11 reference image that can be used in your deployment solution.
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
All procedures in this article can also be used to create a Windows 10 reference image by using Windows 10 media instead of Windows 11 media in the [Add setup files](#add-setup-files) section below.
> [!NOTE]
> This guide assumes that you have already installed and configured deployment tools. See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information.
>[!NOTE]
>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide.
For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is a contoso.com domain member server.
- HV01 is a Hyper-V server that will be used to build the reference image.
&nbsp;&nbsp;![devices.](../images/mdt-08-fig01.png)
![devices.](../images/mdt-08-fig01.png)
Computers used in this topic.
@ -48,20 +45,19 @@ The reference image described in this guide is designed primarily for deployment
## Set up the MDT build lab deployment share
With Windows 10 and Windows 11, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 11 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
On **MDT01**:
- Sign in as contoso\\administrator using a password of <b>pass@word1</b> (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
- Start the MDT deployment workbench, and pin the console to the taskbar for easy access.
- If it is your first time starting the console, search for **Deployment Workbench**.
- Start the MDT deployment workbench, and pin this to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **D:\\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Descriptive name: **MDT Build Lab**
- Deployment share description: **MDT Build Lab**
- Accept the default selections on the Options page and click **Next**.
- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
- Verify that you can access the <b>\\\\MDT01\\MDTBuildLab$</b> share.
@ -72,7 +68,7 @@ On **MDT01**:
### Enable monitoring
To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share in the Deployment Workbench, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
### Configure permissions for the deployment share
@ -90,41 +86,34 @@ On **MDT01**:
## Add setup files
This section will show you how to populate the MDT deployment share with the Windows 11 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
### Add the Windows 11 installation files
### Add the Windows 10 installation files
MDT supports adding both full source Windows 11 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
> [!NOTE]
> Windows 11 media is pre-release as of the date this article was last updated. To obtain Windows 11 pre-release media, join the Windows Insider program and visit [Windows Insider Preview Downloads](https://www.microsoft.com/software-download/windowsinsiderpreviewiso).<br>
> The build selected in this example is **Windows 11 Insider Preview Enterprise (Dev Channel) - Build 22454**.
>[!NOTE]
>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
### Add Windows 11 Enterprise x64 (full source)
### Add Windows 10 Enterprise x64 (full source)
On **MDT01**:
1. Sign in as **contoso\\administrator** and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
![ISO.](../images/iso-data.png)
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**.
4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: <b>W11EX64</b>
> [!NOTE]
> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W11EX64 rather than a more descriptive name like Windows 11 Enterprise x64.<br><br>
> Depending on the DVD or ISO you used, there might be multiple editions added by the import process. For the purposes of this guide, we are using the Windows 11 Enterprise image, but other images will also work. In the example shown, editions that will not be used are deleted from the list.
5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**. See the following example.
- Destination directory name: <b>W10EX64RTM</b>
5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
![Default image.](../images/deployment-workbench01.png)
> [!NOTE]
> The pre-release version of Windows 11 used here has "Windows 10" in the description. You can ignore this.
>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
## Add applications
@ -308,7 +297,7 @@ On **MDT01**:
## Create the reference image task sequence
In order to build and capture your Windows 11 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 11 reference image.
In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying.
### Drivers and the reference image
@ -317,31 +306,31 @@ Because we use modern virtual platforms for creating our reference images, we do
### Create a task sequence for Windows 10 Enterprise
To create a Windows 11 reference image task sequence, the process is as follows:
To create a Windows 10 reference image task sequence, the process is as follows:
On **MDT01**:
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 11**.
2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REFW11X64-001
2. Task sequence name: Windows 11 Enterprise x64 Default Image
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REFW10X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
3. Task sequence comments: Reference Build
4. Template: Standard Client Task Sequence
5. Select OS: Windows 11 Enterprise x64 Default Image
5. Select OS: Windows 10 Enterprise x64 RTM Default Image
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
9. Internet Explorer home page: https://www.contoso.com
9. Internet Explorer home page: http://www.contoso.com
10. Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 11 task sequence
### Edit the Windows 10 task sequence
The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64.
On **MDT01**:
1. In the **Task Sequences / Windows 11** folder, right-click the **Windows 11 Enterprise x64 Default Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the Windows 11 Enterprise x64 Default Image task sequence with the following settings:
1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
@ -351,7 +340,7 @@ On **MDT01**:
- **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
1. Name: Install - Microsoft NET Framework 3.5.1
2. Select the operating system for which roles are to be installed: Windows 10 (this also works for Windows 11)
2. Select the operating system for which roles are to be installed: Windows 10
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
>[!IMPORTANT]
@ -364,7 +353,7 @@ On **MDT01**:
6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
1. Name: Microsoft Visual C++ Redistributable 2019 - x86
2. Install a Single Application: browse to **Install - MSVC 2019 - x86**
7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Office 365 ProPlus - x64 as well.
7. Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
3. Click **OK**.
![apps.](../images/mdt-apps.png)
@ -396,18 +385,26 @@ Follow these steps to configure Internet Explorer settings in Unattend.xml for t
On **MDT01**:
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 11 Enterprise x64 Default Image** task sequence and select **Properties**.
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
> [!IMPORTANT]
> The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
> - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
> - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
> - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
> - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
- DisableDevTools: true
5. Save the Answer File, and close Windows SIM.
- Note: If validation errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
6. On the Windows 11 Enterprise x64 Default Image Properties, click **OK**.
5. Save the Unattend.xml file, and close Windows SIM.
- Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
![figure 10.](../images/fig10-unattend.png)
Windows System Image Manager with the Windows 11 Unattend.xml.
Windows System Image Manager with the Windows 10 Unattend.xml.
## Configure the MDT deployment share rules
@ -478,7 +475,7 @@ On **MDT01**:
```
>[!NOTE]
>For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word1) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
>For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
@ -609,11 +606,11 @@ SkipFinalSummary=YES
- **SkipCapture.** Skips the Capture pane.
- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down.
## Build the Windows 11 reference image
## Build the Windows 10 reference image
As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information.
Once you have created your task sequence, you are ready to create the Windows 11 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image.
@ -624,67 +621,56 @@ The steps below outline the process used to boot a virtual machine using an ISO
On **HV01**:
2. Create a new virtual machine with the following settings:
1. Name: REFW11X64-001
1. Name: REFW10X64-001
2. Store the virtual machine in a different location: C:\VM
3. Generation 1
4. Memory: 1024 MB
5. Network: Must be able to connect to \\MDT01\MDTBuildLab$
7. Hard disk: 60 GB (dynamic disk)
8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
1. Before you start the VM, add a checkpoint for REFW11X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
**Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
4. Start the REFW11X64-001 virtual machine and connect to it.
4. Start the REFW10X64-001 virtual machine and connect to it.
> [!IMPORTANT]
> Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW11X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share, and optionally the WSUS server on your network. A connection to the Internet is also used to download and updates during the image creation process. In the current scenario, this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, with a 10.10.10.1 gateway, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11, and also connect to external networks.<br><br>
> If you receive a message that "A connection to the deployment share could not be made, check that the DHCP service is available to the REFW11X64-001 VM, and it has been issued a valid IP address lease (check your DHCP server).
**Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
5. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
- Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Default Image
- Specify whether to capture an image: Capture an image of this reference computer
- Location: \\\\MDT01\\MDTBuildLab$\\Captures
- File name: REFW11X64-001.wim
After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
2. Specify whether to capture an image: Capture an image of this reference computer
- Location: \\\\MDT01\\MDTBuildLab$\\Captures
3. File name: REFW10X64-001.wim
![capture image.](../images/captureimage.png)
![capture image.](../images/captureimage.png)
The Windows Deployment Wizard for the Windows 11 reference image.
The Windows Deployment Wizard for the Windows 10 reference image.
The image creation process starts and does the following:
1. Installs the Windows 11 Enterprise operating system.
2. Installs the added applications, roles, and features.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server (if provisioned).
4. Stages Windows PE on the local disk.
5. Runs System Preparation (Sysprep) and reboots into Windows PE.
6. Captures the installation to a Windows Imaging (WIM) file.
7. Turns off the virtual machine.
5. The setup now starts and does the following:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added applications, roles, and features.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
4. Stages Windows PE on the local disk.
5. Runs System Preparation (Sysprep) and reboots into Windows PE.
6. Captures the installation to a Windows Imaging (WIM) file.
7. Turns off the virtual machine.
After some time (30-90 minutes depending on resources available), you will have a Windows 11 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is **REFW11X64-001.wim**.
After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
![image.](../images/image-captured.png)
## Troubleshooting
> [!IMPORTANT]
> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This
If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
![monitoring.](../images/mdt-monitoring.png)
If monitoring is not working, check that http://localhost:9801/MDTMonitorData/ loads on MDT01, and try turning monitoring off and on again.
If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. An example is shown below.
```cmd
X:\>net use G: \\mdt01\c$\tmp /user:contoso\administrator pass@word1
The command completed successfully.
X:\>copy X:\MININT\SMSOSD\OSDLOGS\*.log G:
6 files copied.
X:\>copp X:\Windows\Temp\SMSTSLog\smsts.log G:
1 file copied.
```
If you have trouble connecting to the deployment share, verify that your DHCP server (DC01 in this lab) has issued a lease to the VM. The DHCP client name will be something like minint-p1st75s.contoso.com.
After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
## Related topics

154
windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md → windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -1,12 +1,12 @@
---
title: Deploy a Windows 11 image using MDT (Windows 11)
description: This topic will show you how to take your reference image for Windows 11, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
title: Deploy a Windows 10 image using MDT (Windows 10)
description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deployment, automate, tools, configure
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -16,13 +16,12 @@ author: greg-lindsay
ms.topic: article
---
# Deploy a Windows 11 image using MDT
# Deploy a Windows 10 image using MDT
**Applies to**
- Windows 10
- Windows 11
- Windows 10
This topic will show you how to take your reference image for Windows 11 [that was just created](create-a-windows-11-reference-image.md), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
@ -31,7 +30,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 an
- DC01 is a domain controller
- MDT01 is a domain member server
- HV01 is a Hyper-V server
- PC0005 is a blank device to which we will deploy Windows 11
- PC0005 is a blank device to which we will deploy Windows 10
MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
@ -90,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@ -111,22 +113,26 @@ On **MDT01**:
## Step 3: Add a custom image
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 11. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10/11 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
### Add the Windows 11 Enterprise x64 custom image
### Add the Windows 10 Enterprise x64 RTM custom image
In these steps, we assume that you have completed the steps in the [Create a Windows 11 reference image](create-a-windows-11-reference-image.md) topic, so you have a Windows 11 reference image at **D:\\MDTBuildLab\\Captures\REFW11X64-001.wim** on MDT01.
In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 11**.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW11X64-001.wim** and click **Next**.
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W11EX64** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W11EX64**, click **Next** twice, and then click **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 11** node and change the name to **Windows 11 Enterprise x64 Custom Image**.
> [!NOTE]
> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT now uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
>[!NOTE]
>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
![imported OS.](../images/fig2-importedos.png)
@ -139,15 +145,21 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100720091_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100720091_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
![acroread image.](../images/acroread.png)
@ -156,10 +168,7 @@ On **MDT01**:
## Step 5: Prepare the drivers repository
> [!IMPORTANT]
> The section below on preparing the drivers repository uses Windows 10-compatible devices and drivers as examples. These examples do not infer Windows 11 compatibility. Check with your device manufacturer before deploying drivers, and verify that the device meets Windows 11 hardware requirements. For more information, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements).
In order to deploy Windows 10 or Windows 11 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
- Dell Latitude 7390
- HP EliteBook 8560w
@ -167,8 +176,8 @@ In order to deploy Windows 10 or Windows 11 with MDT successfully, you need dri
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
> [!NOTE]
> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
>[!NOTE]
>You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
### Create the driver source structure in the file system
@ -183,8 +192,8 @@ On **MDT01**:
2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 11 x64
3. In the new Windows 11 x64 folder, create the following folder structure:
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
@ -204,8 +213,8 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. In the **Out-Of-Box Drivers** node, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 11 x64
3. In the **Windows 11 x64** folder, create the following folder structure:
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- Dell Inc.
- Latitude E7450
- Hewlett-Packard
@ -236,28 +245,32 @@ The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 11 drivers. If you cant locate Windows 11 drivers for your device, a Windows 10, Windows 8.1 or Windows 7 driver will most likely work, but Windows 11 drivers should be your first choice.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you cant locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: **WinPE x86**
1. Selection Profile name: WinPE x86
2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
3. Click **Next**, **Next** and **Finish**.
3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: **WinPE x64**
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
3. Click **Next**, **Next** and **Finish**.
![figure 5.](../images/fig5-selectprofile.png)
Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
On **MDT01**:
1. Download **PROWinx64.exe** from Intel.com (ex: [Intel® Network Adapter Driver](https://www.intel.com/content/www/us/en/download/16765/intel-network-adapter-driver-for-windows-8-final-release.html)).
1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
@ -279,11 +292,11 @@ In this example, we assume you have downloaded and extracted the drivers using T
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Lenovo** node.
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 11 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
**D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
@ -295,29 +308,29 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Dell Inc.** node.
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node.
2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 11 x64\\Dell Inc.\\Latitude E7450**
**D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450**
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html).
In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 11 x64** node, expand the **Hewlett-Packard** node.
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 11 x64\\Hewlett-Packard\\HP EliteBook 8560w**
**D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
### For the Microsoft Surface Laptop
For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop** folder.
For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
On **MDT01**:
@ -325,40 +338,40 @@ On **MDT01**:
2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
**D:\\Drivers\\Windows 11 x64\\Microsoft\\Surface Laptop**
**D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
## Step 6: Create the deployment task sequence
This section will show you how to create the task sequence used to deploy your production Windows 11 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 11 Enterprise
### Create a task sequence for Windows 10 Enterprise
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 11**.
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W11-X64-001
- Task sequence name: Windows 11 Enterprise x64 Custom Image
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- Task sequence comments: Production Image
- Template: Standard Client Task Sequence
- Select OS: Windows 11 Enterprise x64 Custom Image
- Select OS: Windows 10 Enterprise x64 RTM Custom Image
- Specify Product Key: Do not specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: https://www.contoso.com
- Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 11 task sequence
### Edit the Windows 10 task sequence
1. Continuing from the previous procedure, right-click the **Windows 11 Enterprise x64 Custom Image** task sequence, and select **Properties**.
1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
2. On the **Task Sequence** tab, configure the **Windows 11 Enterprise x64 Custom Image** task sequence with the following settings:
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 11 x64\\%Manufacturer%\\%Model%
3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
@ -473,7 +486,7 @@ On **MDT01**:
11. Click **OK**.
>[!NOTE]
>It might take a while for the Deployment Workbench to create the monitoring database and web service.
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
![figure 8.](../images/mdt-07-fig08.png)
@ -604,13 +617,13 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee
>[!NOTE]
>The update process will take 5 to 10 minutes.
## Step 8: Deploy the Windows 11 client image
## Step 8: Deploy the Windows 10 client image
These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
### Configure Windows Deployment Services
You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-wds) article.
You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparation for the deployment. In this procedure, we assume that WDS is already installed and initialized on MDT01 as described in the [Prepare for Windows deployment](prepare-for-windows-deployment-with-mdt.md#install-and-initialize-windows-deployment-services-wds) article.
On **MDT01**:
@ -624,7 +637,7 @@ On **MDT01**:
The boot image added to the WDS console.
### Deploy the Windows 11 client
### Deploy the Windows 10 client
At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
@ -654,9 +667,9 @@ On **HV01**:
4. Setup now begins and does the following:
- Installs the Windows 11 Enterprise operating system.
- Installs the Windows 10 Enterprise operating system.
- Installs the added application.
- Updates the operating system via your local Windows Server Update Services (WSUS) server (if configured).
- Updates the operating system via your local Windows Server Update Services (WSUS) server.
![pc0005 image1.](../images/pc0005-vm.png)
@ -714,9 +727,9 @@ On **MDT01**:
The newly created multicast namespace.
## Use offline media to deploy Windows 11
## Use offline media to deploy Windows 10
In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 11. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
@ -735,10 +748,10 @@ On **MDT01**:
- Folders
- Applications / Adobe
- Operating Systems / Windows 11
- Operating Systems / Windows 10
- Out-Of-Box Drivers / WinPE x64
- Out-Of-Box Drivers / Windows 11 x64
- Task Sequences / Windows 11
- Out-Of-Box Drivers / Windows 10 x64
- Task Sequences / Windows 10
![offline media.](../images/mdt-offline-media.png)
@ -756,7 +769,7 @@ In these steps, you generate offline media from the MDT Production deployment sh
3. Use the following settings for the New Media Wizard:
- General Settings
- Media path: **D:\\MDTOfflineMedia**
- Selection profile: **Windows 11 Offline Media**
- Selection profile: **Windows 10 Offline Media**
### Configure the offline media
@ -770,7 +783,7 @@ On **MDT01**:
3. In the **General** tab, configure the following:
- Clear the Generate x86 boot image check box.
- ISO file name: Windows 11 Offline Media.iso
- ISO file name: Windows 10 Offline Media.iso
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
@ -803,10 +816,15 @@ The ISO that you got when updating the offline media item can be burned to a DVD
Follow these steps to create a bootable USB stick from the offline media content:
1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
6. In the Diskpart utility, type **active**, and then type **exit**.
## Unified Extensible Firmware Interface (UEFI)-based deployments

14
windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
View File

@ -1,5 +1,5 @@
---
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10/11)
title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
ms.reviewer:
@ -20,7 +20,6 @@ ms.topic: article
**Applies to**
- Windows 10
- Windows 11
This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@ -30,14 +29,17 @@ MDT is a unified collection of tools, processes, and guidance for automating des
In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
MDT supports the deployment of Windows 11, as well as Windows 7, Windows 8.1, Windows 10, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
> [!IMPORTANT]
> For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-).
## Key features in MDT
MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
MDT has many useful features, such as:
- **Windows Client support.** Supports Windows 7, Windows 8.1, Windows 10, and Windows 11.
- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry.
- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
@ -69,11 +71,11 @@ MDT has many useful features, such as:
- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, Windows 8.1, and Windows 10 systems directly to Windows 11, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
## MDT Lite Touch components
Many features in MDT support Lite Touch Installation (LTI) for Windows 11. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.

87
windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
View File

@ -1,12 +1,12 @@
---
title: Prepare for deployment with MDT (Windows 11)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 11 operating system using the Microsoft Deployment Toolkit (MDT).
title: Prepare for deployment with MDT (Windows 10)
description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deploy, system requirements
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -19,68 +19,51 @@ ms.topic: article
# Prepare for deployment with MDT
**Applies to**
- Windows 10
- Windows 11
- Windows 10
This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 11 with the Microsoft Deployment Toolkit (MDT). All procedures in this guide can also be used to deploy Windows 10. For an overview of the features, components, and capabilities of MDT, see [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md).
This article covers installation of necessary system prerequisites, creation of shared folders and service accounts, and configuration of security permissions in the file system and in Active Directory. Steps to complete the following procedures are provided:
1. Install the Windows Assessment and Deployment Kit (ADK)
2. Install and initialize Windows Deployment Services (WDS)
3. Install MDT
4. Create an Active Directory Organizational Unit structure to support deployment
5. Create the MDT service account
6. Create and share the logs folder
After completing these steps, you can create a [Windows 11 reference image](create-a-windows-11-reference-image.md) that will be used to deploy Windows 11. If you are installing Windows 10 instead of Windows 11, use [source media](create-a-windows-11-reference-image.md#add-setup-files) for Windows 10 instead of Windows 11 to create your reference image.
> [!IMPORTANT]
> Before deploying Windows 11, verify that the device meets [requirements](/windows/whats-new/windows-11-requirements).
## Infrastructure and requirements
## Infrastructure
The procedures in this guide use the following names and infrastructure.
#### Network and servers
### Network and servers
For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
- All servers are running Windows Server 2019.
- You can use an earlier version of Windows Server with minor modifications to some procedures.
- Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide.
- **DC01** is a domain controller, DHCP server, and DNS server for <b>contoso.com</b>, representing the fictitious Contoso Corporation.
- The DHCP scope used in this lab is 10.10.10.0/24 with a gateway of 10.10.10.1. but you can adjust the scope settings to your environment.
- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
- A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-deployment.md) for Windows 11 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
- **HV01** is a Hyper-V host computer that is used to build a Windows 11 reference image.
- A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
- See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
#### Client computers
### Client computers
Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
- **PC0001**: A computer running Windows 11 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
- Client name: PC0001
- IP Address: DHCP
- **PC0002**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
- Client name: PC0002
- IP Address: DHCP
- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 10 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
#### Storage requirements
### Storage requirements
MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive.
#### Hyper-V requirements
### Hyper-V requirements
If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 8.1, Windows 10, or Windows 11 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
#### Network requirements
### Network requirements
All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
#### Domain credentials
### Domain credentials
The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
@ -88,7 +71,7 @@ The following generic credentials are used in this guide. You should replace the
**Domain administrator username**: administrator<br>
**Domain administrator password**: pass@word1
#### Organizational unit structure
### Organizational unit structure
The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
@ -101,8 +84,11 @@ These steps assume that you have the MDT01 member server running and configured
On **MDT01**:
Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
- [The Windows ADK](https://go.microsoft.com/fwlink/?linkid=2165884)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2166133)
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
- (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe)
- This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you do not need this patch.
>[!TIP]
>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
@ -110,9 +96,12 @@ Visit the [Download and install the Windows ADK](/windows-hardware/get-started/a
1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain.
- For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of <b>pass@word1</b>. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully.
3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
- You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
## Install and initialize WDS
## Install and initialize Windows Deployment Services (WDS)
On **MDT01**:
@ -141,7 +130,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
>[!NOTE]
>MDT installation requires the following:
>- The Windows ADK (installed in the previous procedure)
>- The Windows ADK for Windows 10 (installed in the previous procedure)
>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
>- Microsoft .NET Framework
@ -149,10 +138,8 @@ On **MDT01**:
1. Visit the [MDT resource page](/mem/configmgr/mdt/) and click **Download MDT**.
2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
3. Save the [MDT update](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) to D:\\Downloads\\MDT folder on MDT01.
- **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
4. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
5. If you are using MDT version 8456, download, extract, and update MDT per the instructions on [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This will update **Microsoft.BDD.Utility.dll** from version 6.3.8456.1000 to 6.3.8456.1001.
3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
## Create the OU structure
@ -231,8 +218,6 @@ If you have the Active Directory Users and Computers console open you can refres
## Create and share the logs folder
Switch back to the MDT01 computer.
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
On **MDT01**:
@ -265,5 +250,13 @@ After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and
## Next steps
When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 11 reference image](create-a-windows-11-reference-image.md).
When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
## Appendix
**Sample files**
The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.

60
windows/deployment/deploy-windows-mdt/refresh-a-windows-10-computer-with-windows-11.md → windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Refresh a Windows 10 computer with Windows 11 (Windows 11)
description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the computer refresh process.
title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
ms.reviewer:
manager: dougeby
@ -16,18 +16,17 @@ author: greg-lindsay
ms.topic: article
---
# Refresh a Windows 10 computer with Windows 11
# Refresh a Windows 7 computer with Windows 10
**Applies to**
- Windows 10
- Windows 11
- Windows 10
This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 10 computer to a Windows 11 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to Windows 11, with data and settings restored. The example used here is a computer running Windows 10, version 1909.
- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@ -39,7 +38,7 @@ The computers used in this topic.
A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK), to migrate user data and settings. To complete a computer refresh you will:
For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
1. Back up data and settings locally, in a backup folder.
2. Wipe the partition, except for the backup folder.
@ -49,8 +48,8 @@ For a computer refresh with MDT, you use the User State Migration Tool (USMT), w
During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
> [!NOTE]
> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
>[!NOTE]
>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
### Multi-user migration
@ -58,8 +57,8 @@ By default, ScanState in USMT backs up all profiles on the machine, including lo
For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
> [!NOTE]
> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
>[!NOTE]
>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
### Support for additional settings
@ -69,32 +68,29 @@ In addition to the command-line switches that control which profiles to migrate,
Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting.
## Refresh a Windows 10 client
## Refresh a Windows 7 SP1 client
In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01:
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
- [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to Windows 11. For demonstration purposes, we will refreshing a Windows 10 PC to Windows 11.
> [!IMPORTANT]
> The computer refresh process can be used to install Windows 11 on a device that doesn't meet Windows 11 hardware requirements, resulting in an unsupported configuration. Before upgrading to Windows 11, verify that the device meets [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements).
It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
### Upgrade (refresh) a Windows 10 client
### Upgrade (refresh) a Windows 7 SP1 client
> [!IMPORTANT]
> Domain join details [specified in the deployment share rules](deploy-a-windows-11-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 10 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-11-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
>[!IMPORTANT]
>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
2. Complete the deployment guide using the following settings:
* Select a task sequence to execute on this computer: Windows 11 Enterprise x64 Custom Image
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
* Computer name: &lt;default&gt;
* Specify where to save a complete computer backup: Do not back up the existing computer
> [!NOTE]
> Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
>[!NOTE]
>Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
* Select one or more applications to install: Install - Adobe Reader
![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
@ -102,23 +98,23 @@ It is also assumed that you have a domain member client computer named PC0001 in
4. Setup starts and does the following:
* Backs up user settings and data using USMT.
* Installs the Windows 11 Enterprise x64 operating system.
* Installs the Windows 10 Enterprise x64 operating system.
* Installs any added applications.
* Updates the operating system using your local Windows Server Update Services (WSUS) server (if applicable).
* Updates the operating system using your local Windows Server Update Services (WSUS) server.
* Restores user settings and data using USMT.
5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
![monitor deployment.](../images/monitor-pc0001.png)
6. After the refresh process completes, sign in to the Windows 11 computer and verify that user accounts, data and settings were migrated.
6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)<br>
[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)<br>
[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)<br>
[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)<br>
[Replace a Windows 10 computer with a Windows 11 computer](replace-a-windows-10-computer-with-a-windows-11-computer.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
[Configure MDT settings](configure-mdt-settings.md)

36
windows/deployment/deploy-windows-mdt/replace-a-windows-10-computer-with-a-windows-11-computer.md → windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
View File

@ -1,13 +1,13 @@
---
title: Replace a Windows 10 computer with a Windows 11 computer (Windows 11)
description: In this article, you will learn how to replace a Windows 10 device with a Windows 11 device.
title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device.
ms.custom: seo-marvel-apr2020
ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deploy, deployment, replace
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -17,19 +17,18 @@ author: greg-lindsay
ms.topic: article
---
# Replace a Windows 10 computer with a Windows 11 computer
# Replace a Windows 7 computer with a Windows 10 computer
**Applies to**
- Windows 10
- Windows 11
- Windows 10
A computer replace scenario for Windows 11 is quite similar to a computer refresh for Windows 11. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is domain member server that hosts your deployment share.
- PC0002 is an old computer running Windows 10 that will be replaced by PC0007.
- PC0007 is a new computer will have the Windows 11 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@ -49,7 +48,7 @@ On **MDT01**:
1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab.
2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings.
3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings.
### Create and share the MigData folder
@ -82,7 +81,7 @@ On **MDT01**:
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
### Run the replace task sequence
@ -97,8 +96,8 @@ On **PC0002**:
* Specify where to save your data and settings: Specify a location
* Location: \\\\MDT01\\MigData$\\PC0002
> [!NOTE]
> If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
>[!NOTE]
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
@ -152,16 +151,15 @@ On **HV01**:
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.
![Monitor progress.](../images/mdt-replace.png)
## Related topics
[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
[Create a Windows 11 reference image](create-a-windows-11-reference-image.md)<br>
[Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)<br>
[Build a distributed environment for Windows 11 deployment](build-a-distributed-environment-for-windows-deployment.md)<br>
[Refresh a Windows 10 computer with Windows 11](refresh-a-windows-10-computer-with-windows-11.md)<br>
[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
[Configure MDT settings](configure-mdt-settings.md)

4
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -19,10 +19,6 @@ ms.custom: seo-marvel-mar2020
# Set up MDT for BitLocker
**Applies to**
- Windows 10
- Windows 11
This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.

48
windows/deployment/deploy-windows-mdt/simulate-a-windows-11-deployment-in-a-test-environment.md → windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
View File

@ -1,12 +1,12 @@
---
title: Simulate a Windows 11 deployment in a test environment (Windows 11)
description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 11 deployment using MDT.
title: Simulate a Windows 10 deployment in a test environment (Windows 10)
description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deploy, script
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
@ -16,11 +16,7 @@ author: greg-lindsay
ms.topic: article
---
# Simulate a Windows 11 deployment in a test environment
**Applies to**
- Windows 10
- Windows 11
# Simulate a Windows 10 deployment in a test environment
This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client.
@ -29,8 +25,8 @@ This topic will walk you through the process of creating a simulated environment
- A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
- It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
- [Create a Windows 11 reference image](create-a-windows-11-reference-image.md)
- [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md)
- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
## Simulate deployment
@ -39,23 +35,21 @@ On **PC0001**:
1. Sign as **contoso\\Administrator**.
2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001.
```
# Check for elevation
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
Write-Warning "Aborting script..."
Break
}
cls
if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse}
cscript.exe ZTIGather.wsf /debug:true
# Optional, comment out if you want the script to open the log in CMTrace
& "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log
```
```powershell
# Check for elevation
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(`
[Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Warning "Oupps, you need to run this script from an elevated PowerShell prompt!`nPlease start the PowerShell prompt as an Administrator and re-run the script."
Write-Warning "Aborting script..."
Break
}
cls
if (Test-Path -Path "C:\MININT") {Write-Host "C:\MININT exists, deleting...";Remove-Item C:\MININT -Recurse}
cscript.exe ZTIGather.wsf /debug:true
# Optional, comment out if you want the script to open the log in CMTrace
& "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log
```
3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.

114
windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md Normal file
View File

@ -0,0 +1,114 @@
---
title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Perform an in-place upgrade to Windows 10 with MDT
**Applies to**
- Windows 10
The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
>[!TIP]
>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
Three computers are used in this topic: DC01, MDT01, and PC0002.
- DC01 is a domain controller for the contoso.com domain
- MDT01 is a domain member server
- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
![computers.](../images/mdt-upgrade.png)
The computers used in this topic.
>[!NOTE]
>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
## Create the MDT production deployment share
On **MDT01**:
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
## Add Windows 10 Enterprise x64 (full source)
>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
On **MDT01**:
1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: <b>W10EX64RTM</b>
5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
## Create a task sequence to upgrade to Windows 10 Enterprise
On **MDT01**:
1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-UPG
- Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
- Template: Standard Client Upgrade Task Sequence
- Select OS: Windows 10 Enterprise x64 RTM Default Image
- Specify Product Key: Do not specify a product key at this time
- Organization: Contoso
- Admin Password: Do not specify an Administrator password at this time
## Perform the Windows 10 upgrade
To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
On **PC0002**:
1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
4. On the **Ready** tab, click **Begin** to start the task sequence.
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
<br>
![upgrade2.](../images/mdt-upgrade-proc.png)
<br>
![upgrade3.](../images/mdt-post-upg.png)
After the task sequence completes, the computer will be fully upgraded to Windows 10.
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)

134
windows/deployment/deploy-windows-mdt/upgrade-to-windows-11-with-the-microsoft-deployment-toolkit.md
View File

@ -1,134 +0,0 @@
---
title: Perform an in-place upgrade to Windows 11 with MDT (Windows 11)
description: The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade.
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
audience: itpro
author: greg-lindsay
ms.topic: article
---
# Perform an in-place upgrade to Windows 11 with MDT
**Applies to**
- Windows 10
- Windows 11
The simplest path to upgrade PCs that are currently running an earlier version of Windows client to Windows 11 is through an in-place upgrade.
> [!TIP]
> In-place upgrade is the preferred method to use when migrating to a newer version of the same OS, or upgrading to a new OS. This is especially true when you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
In-place upgrade differs from [computer refresh](refresh-a-windows-10-computer-with-windows-11.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 11 image to the production deployment share specifically to perform an in-place upgrade.
> [!IMPORTANT]
> Windows 11 setup will block the upgrade process on devices that do not meet [Windows 11 hardware requirements](/windows/whats-new/windows-11-requirements). Be sure to verify that your device meets these requirements before attempting to upgrade to Windows 11.
Three computers are used in this topic: DC01, MDT01, and PC0002.
- DC01 is a domain controller for the contoso.com domain
- MDT01 is a domain member server
- PC0002 is a domain member computer running Windows 10, targeted for the Windows 11 upgrade
![computers.](../images/mdt-upgrade.png)
The computers used in this topic.
> [!NOTE]
> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
> If you have already completed all the steps in [Deploy a Windows 11 image using MDT](deploy-a-windows-11-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 11 Enterprise x64 (full source)](#add-windows-11-enterprise-x64-full-source).
## Create the MDT production deployment share
On **MDT01**:
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
## Add Windows 11 Enterprise x64 (full source)
> If you have already have a Windows 11 [reference image](create-a-windows-11-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
![copy reference image.](../images/mdt-copy-image.png)
Copying the reference image to the production deployment share
If you copy the reference image using the above process, you should verify that all the files on MDT01 in **D:\\MDTBuildLab\\Operating Systems\\W11EX64** were successfully copied to **D:\\MDTProduction\\Operating Systems\\W11EX64** and then skip to [Create a task sequence to upgrade to Windows 11 Enterprise](#create-a-task-sequence-to-upgrade-to-windows11-enterprise).
On **MDT01**:
1. Sign in as contoso\\administrator and copy the content of a Windows 11 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 11 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
3. Right-click the **Operating Systems** node, and create a new folder named **Windows 11**.
4. Expand the **Operating Systems** node, right-click the **Windows 11** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- Full set of source files
- Source directory: (location of your source files)
- Destination directory name: <b>W11EX64</b>
5. After adding the operating system, in the **Operating Systems / Windows 11** folder, double-click it and change the name to: **Windows 11 Enterprise x64 Default Image**.
## Create a task sequence to upgrade to Windows 11 Enterprise
On **MDT01**:
1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 11**.
2. Right-click the new **Windows 11** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W11-X64-UPG
- Task sequence name: Windows 11 Enterprise x64 Upgrade
- Template: Standard Client Upgrade Task Sequence
- Select OS: Windows 11 Enterprise x64 Default Image
- Specify Product Key: Do not specify a product key at this time
- Organization: Contoso
- Admin Password: Do not specify an Administrator password at this time
### Specify additional command line options
Before running the upgrade task sequence, an additional step is required if you are upgrading to Windows 11. This step is not necessary if you are upgrading to Windows 10.
The **/EULA accept** command line option is required starting with Windows 11. For more information, see [Windows Setup command-line options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#eula). To add this command line option:
1. In the Windows 11 Enterprise x64 Upgrade task sequence that you just created, in the Preparation section, click **Add** > **General** > **Set Task Sequence Variable** and provide the following values:
- Name: WindowsUpgradeAdditionalOptions
- Task Sequence Variable: WindowsUpgradeAdditionalOptions
- Value: /EULA accept
2. Make the Set Task Sequence Variable step the first step in the Preparation phase by moving it up above the other steps. See the following example:
![Specify EULA](../images/windowsupgradeadditionaloptions.png)
Using the WindowsUpgradeAdditionalOptions variable to set command line options.
## Perform the Windows 11 upgrade
To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
On **PC0002**:
1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
2. Select the **Windows 11 Enterprise x64 Upgrade** task sequence, and then click **Next**.
3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
4. On the **Ready** tab, click **Begin** to start the task sequence.
When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
<br>
After the task sequence completes, the computer will be fully upgraded to Windows 11.
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)

6
windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
View File

@ -1,5 +1,5 @@
---
title: Use Orchestrator runbooks with MDT (Windows 11)
title: Use Orchestrator runbooks with MDT (Windows 10)
description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f
ms.reviewer:
@ -18,10 +18,6 @@ ms.topic: article
# Use Orchestrator runbooks with MDT
**Applies to**
- Windows 10
- Windows 11
This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.

8
windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-deployment-information.md → windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -1,6 +1,6 @@
---
title: Use MDT database to stage Windows 11 deployment info (Windows 11)
description: Learn how to use the MDT database to pre-stage information on your Windows 11 deployment in a Microsoft SQL Server 2012 SP1 Express database.
title: Use MDT database to stage Windows 10 deployment info (Windows 10)
description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46
ms.reviewer:
manager: dougeby
@ -18,10 +18,6 @@ ms.topic: article
# Use the MDT database to stage Windows 10 deployment information
**Applies to**
- Windows 10
- Windows 11
This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines.
## <a href="" id="sec01"></a>Database prerequisites

10
windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
View File

@ -1,12 +1,12 @@
---
title: Use web services in MDT (Windows 11)
description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 11 deployment.
title: Use web services in MDT (Windows 10)
description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522
ms.reviewer:
manager: dougeby
ms.author: greglin
keywords: deploy, web apps
ms.prod: w11
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.pagetype: mdt
@ -18,10 +18,6 @@ ms.topic: article
# Use web services in MDT
**Applies to**
- Windows 10
- Windows 11
In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.

BIN
windows/deployment/images/acroread.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 186 KiB

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/deployment/images/captureimage.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 207 KiB

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/deployment/images/deployment-workbench01.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 242 KiB

After

Width:  |  Height:  |  Size: 76 KiB

BIN
windows/deployment/images/fig2-importedos.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 299 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/deployment/images/fig2-taskseq.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 382 KiB

After

Width:  |  Height:  |  Size: 258 KiB

BIN
windows/deployment/images/fig4-oob-drivers.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 272 KiB

After

Width:  |  Height:  |  Size: 63 KiB

BIN
windows/deployment/images/fig5-selectprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 288 KiB

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/deployment/images/fig6-taskseq.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 315 KiB

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/deployment/images/fig8-cust-tasks.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 427 KiB

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/deployment/images/image-captured.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 103 KiB

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/deployment/images/iso-data.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 267 KiB

After

Width:  |  Height:  |  Size: 36 KiB

Some files were not shown because too many files have changed in this diff Show More