From 793d3189658dbc71ef053fefcde7a87e8824ef8d Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 22 Mar 2022 16:57:48 +0530 Subject: [PATCH 01/25] CSP - Windows 11 Updates The updates were made as per Task: 5825705. Thanks! --- .../mdm/accountmanagement-csp.md | 21 +++++++---- windows/client-management/mdm/accounts-csp.md | 29 ++++++++++----- .../client-management/mdm/activesync-csp.md | 35 +++++++++++-------- .../mdm/alljoynmanagement-csp.md | 21 ++++++----- .../client-management/mdm/application-csp.md | 29 +++++++-------- 5 files changed, 79 insertions(+), 56 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 5f2a7ff230..0c0b0e2501 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -13,8 +13,7 @@ manager: dansimp # AccountManagement CSP - -AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803. +AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803, and later. > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. @@ -41,7 +40,9 @@ Interior node. **UserProfileManagement/EnableProfileManager** Enable profile lifetime management for shared or communal device scenarios. Default value is false. -Supported operations are Add, Get,Replace, and Delete. Value type is bool. +Supported operations are Add, Get, Replace, and Delete. + +Value type is bool. **UserProfileManagement/DeletionPolicy** Configures when profiles will be deleted. Default value is 1. @@ -52,19 +53,25 @@ Valid values: - 1 - delete at storage capacity threshold - 2 - delete at both storage capacity threshold and profile inactivity threshold -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/StorageCapacityStartDeletion** Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first. Default value is 25. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/StorageCapacityStopDeletion** Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles. Default value is 50. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. + +Value type is integer. **UserProfileManagement/ProfileInactivityThreshold** Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. -Supported operations are Add, Get,Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 1269c2797e..708435ef91 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -1,6 +1,6 @@ --- title: Accounts CSP -description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & joint them to a group. +description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, as well as create local Windows accounts & join them to a group. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,8 +14,7 @@ manager: dansimp # Accounts Configuration Service Provider -The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803. - +The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later. The following shows the Accounts configuration service provider in tree format. @@ -30,6 +29,16 @@ Accounts ------------LocalUserGroup ``` +The following table shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + **./Device/Vendor/MSFT/Accounts** Root node. @@ -37,7 +46,10 @@ Root node. Interior node for the account domain information. **Domain/ComputerName** -This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. +This node specifies the DNS hostname for a device. This setting can be managed remotely. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. + +>[!Note] +> The ComputerName node is not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. Available naming macros: @@ -55,15 +67,14 @@ Supported operation is Add. Interior node for the user account information. **Users/_UserName_** -This node specifies the username for a new local user account. This setting can be managed remotely. +This node specifies the username for a new local user account. This setting can be managed remotely. **Users/_UserName_/Password** -This node specifies the password for a new local user account. This setting can be managed remotely. +This node specifies the password for a new local user account. This setting can be managed remotely. -Supported operation is Add. -GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +Supported operation is Add. GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index e69eef0c44..352f05b5be 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -14,19 +14,16 @@ ms.date: 06/26/2017 # ActiveSync CSP - The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. > [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. +> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. -On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in. +On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the `./Vendor/MSFT/ActiveSync` path will work if the user is logged in. The CSP fails when no user is logged in. -The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. - - +The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in the short term. The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. @@ -62,17 +59,25 @@ ActiveSync ``` +The following table shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + **./User/Vendor/MSFT/ActiveSync** The root node for the ActiveSync configuration service provider. > [!NOTE] -> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. +> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the `./User/Vendor/MSFT/ActiveSync` path. -On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. +On the desktop, only per user configuration `./User/Vendor/MSFT/ActiveSync` is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. -The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. - - +The `./Vendor/MSFT/ActiveSync` path is deprecated, but will continue to work in the short term. The supported operation is Get. @@ -86,7 +91,7 @@ Defines a specific ActiveSync account. A globally unique identifier (GUID) must Supported operations are Get, Add, and Delete. -When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. +When managing over OMA DM, ensure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: @@ -264,7 +269,6 @@ Required. A character string that specifies the name of the content type. > [!NOTE] > In Windows 10, this node is currently not working. - Supported operations are Get, Replace, and Add (cannot Add after the account is created). When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. @@ -275,7 +279,9 @@ Node for mail body type and email age filter. **Policies/MailBodyType** Required. Specifies the email body type: HTML or plain. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. + +Supported operations are Add, Get, Replace, and Delete. **Policies/MaxMailAgeFilter** Required. Specifies the time window used for syncing mail items to the device. @@ -284,7 +290,6 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 26bcc2dda6..c9aa7bdcde 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -14,17 +14,14 @@ ms.date: 06/26/2017 # AllJoynManagement CSP - -The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration. +The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (`com.microsoft.alljoynmanagement.config`). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration. > [!NOTE] > The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core). -This CSP was added in Windows 10, version 1511. +This CSP was added in Windows 10, version 1511, and later. - - -For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). The following shows the AllJoynManagement configuration service provider in tree format @@ -64,7 +61,7 @@ The following list describes the characteristics and parameters. The root node for the AllJoynManagement configuration service provider. **Services** -List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included. +List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "`com.microsoft.alljoynmanagement.config`" are included. **Services/***Node name* The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. @@ -81,7 +78,7 @@ The set of configurable interfaces that are available on the port of the AllJoyn **Services/*Node name*/Port/*Node name*/CfgObject/***Node name* The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum. -For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig. +For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "`\\FabrikamService\\BridgeConfig`" would be specified in the URI as: `%2FFabrikamService%2FBridgeConfig`. **Credentials** This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node. @@ -89,7 +86,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. +This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It is typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -105,7 +102,6 @@ Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enable ## Examples - Set adapter configuration ```xml @@ -128,7 +124,10 @@ SyncML xmlns="SYNCML:SYNCML1.2"> ``` -You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting. +You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. + +>[!Note] +> The data is base-64 encoded representation of the configuration file that you are setting. Get PIN data diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 728e4dcda3..798049c967 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -14,14 +14,25 @@ ms.date: 06/26/2017 # APPLICATION configuration service provider - The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. -OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports. +OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. -- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) +The following table shows the applicability of Windows: -- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The following list shows the supported transports: + +- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) + +- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document. @@ -29,15 +40,5 @@ For the device to decode correctly, provisioning XML that contains the APPLICATI ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  - - - - - - From 908e4e5408c518ca24b42bd4b34e1bb0c012c22d Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 22 Mar 2022 17:00:22 +0530 Subject: [PATCH 02/25] Updated --- windows/client-management/mdm/accountmanagement-csp.md | 2 +- windows/client-management/mdm/alljoynmanagement-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 0c0b0e2501..e0bd1525e7 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -13,7 +13,7 @@ manager: dansimp # AccountManagement CSP -AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803, and later. +AccountManagement CSP is used to configure setting in the Account Manager service in Windows Holographic for Business edition. Added in Windows 10, version 1803. > [!NOTE] > The AccountManagement CSP is only supported in Windows Holographic for Business edition. diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index c9aa7bdcde..12181e1cac 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -19,7 +19,7 @@ The AllJoynManagement configuration service provider (CSP) allows an IT administ > [!NOTE] > The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core). -This CSP was added in Windows 10, version 1511, and later. +This CSP was added in Windows 10, version 1511. For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). From ec9254239271252ccdd2d1886c2fb516c16ebeb7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 24 Mar 2022 10:47:11 +0530 Subject: [PATCH 03/25] CSP Improvement & Windows 11 Updates --- .../mdm/accountmanagement-csp.md | 4 ++ windows/client-management/mdm/accounts-csp.md | 29 ++++---- .../client-management/mdm/activesync-csp.md | 20 +++--- .../mdm/alljoynmanagement-csp.md | 10 +-- .../client-management/mdm/application-csp.md | 14 ++-- .../mdm/applicationcontrol-csp.md | 42 ++++++++---- .../client-management/mdm/applocker-csp.md | 67 ++++++++++--------- .../mdm/assignedaccess-csp.md | 25 +++++-- .../mdm/cellularsettings-csp.md | 12 +++- .../mdm/certificatestore-csp.md | 25 ++++--- 10 files changed, 154 insertions(+), 94 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index e0bd1525e7..6fc42bf1c8 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -75,3 +75,7 @@ Value type is integer. Start deleting profiles when they have not been logged on during the specified period, given as number of days. Default value is 30. Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 708435ef91..f1e17f5cd4 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -11,8 +11,17 @@ ms.reviewer: manager: dansimp --- -# Accounts Configuration Service Provider +# Accounts CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803, and later. @@ -29,16 +38,6 @@ Accounts ------------LocalUserGroup ``` -The following table shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - **./Device/Vendor/MSFT/Accounts** Root node. @@ -72,9 +71,13 @@ This node specifies the username for a new local user account. This setting can **Users/_UserName_/Password** This node specifies the password for a new local user account. This setting can be managed remotely. -Supported operation is Add. GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. +Supported operation is Add. GET operation isn't supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** -This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. +This optional node specifies the local user group that a local user account should be joined to. If the node isn't set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. Supported operation is Add. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 352f05b5be..bb6bd752f3 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # ActiveSync CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. @@ -59,16 +69,6 @@ ActiveSync ``` -The following table shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - **./User/Vendor/MSFT/ActiveSync** The root node for the ActiveSync configuration service provider. diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 12181e1cac..35e89b67a3 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -21,7 +21,7 @@ The AllJoynManagement configuration service provider (CSP) allows an IT administ This CSP was added in Windows 10, version 1511. -For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). The following shows the AllJoynManagement configuration service provider in tree format @@ -67,7 +67,7 @@ List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. **Services/*Node name*/Port** -The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. +The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it's possible to specify additional ports. **Services/*Node name*/Port/***Node name* Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. @@ -86,7 +86,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. **Credentials/***Node name* -This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It is typically implemented as a GUID. +This is the same service ID specified in `\\AllJoynManagement\\Services\\ServiceID` URI. It's typically implemented as a GUID. **Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. @@ -166,7 +166,9 @@ Get the firewall PrivateProfile ``` - +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 798049c967..b935548199 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,5 +1,5 @@ --- -title: APPLICATION configuration service provider +title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 ms.reviewer: @@ -12,13 +12,9 @@ author: dansimp ms.date: 06/26/2017 --- -# APPLICATION configuration service provider +# APPLICATION CSP -The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. - -OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. - -The following table shows the applicability of Windows: +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | @@ -28,6 +24,10 @@ The following table shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| +The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. + +OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. + The following list shows the supported transports: - w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 648d9c245f..cabf6a14e7 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,7 +13,18 @@ ms.date: 09/10/2020 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. + Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. The following shows the ApplicationControl CSP in tree format. @@ -43,6 +54,7 @@ ApplicationControl ----TenantID ----DeviceID ``` + **./Vendor/MSFT/ApplicationControl** Defines the root node for the ApplicationControl CSP. @@ -73,7 +85,7 @@ An interior node that contains the nodes that describe the policy indicated by t Scope is dynamic. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Version** -This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing use a uint64 as the containing data type. +This node provides the version of the policy indicated by the GUID. Stored as a string, but when parsing uses a uint64 as the containing data type. Scope is dynamic. Supported operation is Get. @@ -113,7 +125,7 @@ The following table provides the result of this policy based on different values |IsAuthorized | IsDeployed | IsEffective | Resultant | |------------ | ---------- | ----------- | --------- | -|True|True|True|Policy is currently running and in effect.| +|True|True|True|Policy is currently running and is in effect.| |True|True|False|Policy requires a reboot to take effect.| |True|False|True|Policy requires a reboot to unload from CI.| |False|True|True|Not Reachable.| @@ -122,14 +134,14 @@ The following table provides the result of this policy based on different values |False|False|True|Not Reachable.| |False|False|False|*Not Reachable.| -\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail. +\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the `END_COMMAND_PROCESSING` will result in a fail. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status** This node specifies whether the deployment of the policy indicated by the GUID was successful. Scope is dynamic. Supported operation is Get. -Value type is integer. Default value is 0 == OK. +Value type is integer. Default value is 0 = OK. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/FriendlyName** This node provides the friendly name of the policy indicated by the policy GUID. @@ -140,15 +152,15 @@ Value type is char. ## Microsoft Endpoint Manager (MEM) Intune Usage Guidance -For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). +For customers using Intune standalone or hybrid management with Microsoft Endpoint Manager Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune). ## Generic MDM Server Usage Guidance In order to leverage the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. -2. Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command-line tool. +2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned. +3. Create a policy node (a Base64-encoded blob of the binary policy representation) using the `certutil -encode` command-line tool. Below is a sample certutil invocation: @@ -171,7 +183,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and does'nt need to be reflected in the ADD). #### Example 1: Add first base policy @@ -257,7 +269,7 @@ The following is an example of Get command: #### Rebootless Deletion -Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot. +Upon deletion, policies deployed via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at `C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml`) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactivate the policy on the next reboot. #### Unsigned Policies @@ -293,8 +305,8 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Setup for using the WMI Bridge -1. Convert your WDAC policy to Base64 -2. Open PowerShell in Local System context (through PSExec or something similar) +1. Convert your WDAC policy to Base64. +2. Open PowerShell in Local System context (through PSExec or something similar). 3. Use WMI Interface: ```powershell @@ -315,4 +327,8 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa ```powershell Get-CimInstance -Namespace $namespace -ClassName $policyClassName -``` \ No newline at end of file +``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 61070859fe..4b2ed6a6c1 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -14,6 +14,15 @@ ms.date: 11/19/2019 # AppLocker CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. @@ -74,16 +83,14 @@ Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. - -> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. +> +> Delete/unenrollment is not properly supported, unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. > [!NOTE] -> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. - -Additional information: +> The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. **AppLocker/ApplicationLaunchRestrictions/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -96,14 +103,14 @@ Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/Policy** Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. -Data type is string. +Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). -The data type is a string. +The data type is a string. Supported operations are Get, Add, Delete, and Replace. @@ -206,31 +213,34 @@ Data type is Base64. Supported operations are Get, Add, Delete, and Replace. > [!NOTE] -> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. +> To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy Exempt examples: + - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** -Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define. +Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. Supported operations are Get, Add, Delete, and Replace. @@ -259,15 +269,17 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). -2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. +**To find Publisher and PackageFullName of apps:** + +1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. ![device portal screenshot.](images/applocker-screenshot1.png) -3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. +4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) @@ -279,9 +291,9 @@ The following table shows the mapping of information to the AppLocker publisher |Device portal data|AppLocker publisher rule field| |--- |--- | -|PackageFullName|ProductName

The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| +|PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| |Publisher|Publisher| -|Version|Version

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| +|Version|Version: This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| Here is an example AppLocker publisher rule: @@ -293,13 +305,13 @@ Here is an example AppLocker publisher rule: You can get the publisher name and product name of apps using a web API. -**To find publisher and product name for Microsoft apps in Microsoft Store for Business** +**To find publisher and product name for Microsoft apps in Microsoft Store for Business:** -1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. +1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote. -2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is [https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl](https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl), and you'd copy the ID value: **9wzdncrfhvjl**. -3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. +3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. Request URI: @@ -332,10 +344,8 @@ Result |publisherCertificateName|Publisher| |windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| - ## Settings apps that rely on splash apps - These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -359,17 +369,13 @@ The product name is first part of the PackageFullName followed by the version nu | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | - ## Inbox apps and components - The following list shows the apps that may be included in the inbox. > [!NOTE] > This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. - - |App|Product ID|Product name| |--- |--- |--- | |3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)| @@ -1022,6 +1028,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ``` ## Example for Windows 10 Holographic for Business + The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable a working device, as well as Settings. ```xml @@ -1277,7 +1284,8 @@ The following example for Windows 10 Holographic for Business denies all apps an ``` ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + +The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. @@ -1460,5 +1468,4 @@ In this example, Contoso is the node name. We recommend using a GUID for this no ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index fd89c3803d..7a204f04d3 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -14,6 +14,16 @@ ms.date: 09/18/2018 # AssignedAccess CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) @@ -24,7 +34,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider ( > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. > [!Note] -> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. +> If the application calls `KeyCredentialManager.IsSupportedAsync` when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select an appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. @@ -45,14 +55,14 @@ AssignedAccess Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app). For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app) > [!Note] -> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > -> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. +> Starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. > [!Note] > You cannot set both KioskModeApp and ShellLauncher at the same time on the device. @@ -80,7 +90,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). Enterprises can use this to easily configure and manage the curated lockdown experience. @@ -426,7 +436,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ``` -Here's the schema for new features introduced in Windows 10 1809 release +Here's the schema for new features introduced in Windows 10 1809 release: ```xml @@ -473,6 +483,7 @@ Here's the schema for new features introduced in Windows 10 1809 release ``` Schema for Windows 10 prerelease + ```xml [!Note] -> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. +> Starting in Windows 10, version 1703, the CellularSettings CSP is supported in Windows 10 and Windows 11 Home, Pro, Enterprise, and Education editions. The following shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol isn't supported with this configuration service provider. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 11079b3ac6..253d908516 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -14,13 +14,23 @@ ms.date: 02/28/2020 # CertificateStore CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. > [!Note] > The CertificateStore configuration service provider does not support installing client certificates. > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. -For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. +For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists. The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. @@ -259,7 +269,7 @@ Optional. OID of certificate template name. Supported operations are Get, Add, and Delete. **My/SCEP/*UniqueID*/Install/KeyLength** -Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. +Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. Supported operations are Get, Add, Delete, and Replace. @@ -343,7 +353,7 @@ Required. Returns the URL of the SCEP server that responded to the enrollment re Supported operation is Get. **My/WSTEP** -Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. +Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. Supported operation is Get. @@ -358,12 +368,10 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't > [!NOTE] > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. - - Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer. @@ -414,7 +422,7 @@ Optional. If certificate renewal fails, this integer value indicates the HRESULT Supported operation is Get. **My/WSTEP/Renew/LastRenewalAttemptTime** -Added in Windows 10, version 1607. Time of the last attempted renewal. +Added in Windows 10, version 1607. Specifies the time of the last attempted renewal. Supported operation is Get. @@ -424,7 +432,7 @@ Added in Windows 10, version 1607. Initiates a renewal now. Supported operation is Execute. **My/WSTEP/Renew/RetryAfterExpiryInterval** -Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew. +Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew. Supported operations are Add, Get, and Replace. @@ -698,7 +706,6 @@ Configure the device to automatically renew an MDM client certificate with the s ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) From da5393064979391ff945a627e006df658db69789 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 24 Mar 2022 10:50:43 +0530 Subject: [PATCH 04/25] Update accounts-ddf-file.md --- windows/client-management/mdm/accounts-ddf-file.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 9d91061818..224b4c6594 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -11,8 +11,7 @@ ms.reviewer: manager: dansimp --- -# Accounts CSP - +# Accounts DDF file This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. From 89d4342e9b6ffbc498d345dd6d0f407d11d90419 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:12:59 +0530 Subject: [PATCH 05/25] CSP: Windows 11 Updates-part3 --- windows/client-management/mdm/cleanpc-csp.md | 10 + .../mdm/cm-cellularentries-csp.md | 34 ++-- windows/client-management/mdm/cmpolicy-csp.md | 17 +- windows/client-management/mdm/wifi-csp.md | 35 ++-- .../mdm/win32appinventory-csp.md | 11 +- .../mdm/win32compatibilityappraiser-csp.md | 154 +++++++++------ .../windowsadvancedthreatprotection-csp.md | 97 +++++---- .../mdm/windowsautopilot-csp.md | 17 +- .../windowsdefenderapplicationguard-csp.md | 187 ++++++++++++------ .../mdm/windowslicensing-csp.md | 86 ++++---- 10 files changed, 402 insertions(+), 246 deletions(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 57298ac676..c6c0b2d293 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -13,6 +13,16 @@ manager: dansimp # CleanPC CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. The following shows the CleanPC configuration service provider in tree format. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index c333660f0f..7a057f91e2 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -14,6 +14,16 @@ ms.date: 08/02/2017 # CM\_CellularEntries CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point. This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. @@ -76,13 +86,13 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f |Cdma|Used for CDMA type connections (1XRTT + EVDO).| |Lte|Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.| |Legacy|Used for GPRS + GSM + EDGE + UMTS connections.| -|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi| -|Iwlan|Used for connections that are implemented over WiFi offload only| +|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.| +|Iwlan|Used for connections that are implemented over WiFi offload only.| **Desc.langid** Optional. Specifies the UI display string used by the defined language ID. -A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. +A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry. **Enabled** Specifies if the connection is enabled. @@ -110,7 +120,7 @@ Optional. Specifies if the connection requires a corresponding mappings policy. A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +For example, if the multimedia messaging service (MMS) APN does not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version** Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. @@ -131,7 +141,7 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which - 5 - Roaming only. **OEMConnectionID** -Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. +Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices. @@ -145,7 +155,7 @@ Optional. Type: String. Specifies the network protocol of the connection. Availa **ExemptFromDisablePolicy** Added back in Windows 10, version 1511.Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt). -To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. +To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection, and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. >[!Note] > Sending MMS while roaming is still not allowed. @@ -174,7 +184,7 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be > If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds. **SimIccId** -For single SIM phones, this parm isOptional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. +For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. **PurposeGroups** Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: @@ -271,17 +281,7 @@ The following table shows the Microsoft custom elements that this configuration |Characteristic-query|Yes| |Parm-query|Yes| - ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index d37ac364ec..3cf035b06c 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -14,13 +14,21 @@ ms.date: 06/26/2017 # CMPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. @@ -134,7 +142,6 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples - Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -180,7 +187,9 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo ``` -Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. +Adding a host-based mapping policy: + +In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -364,7 +373,6 @@ Adding a host-based mapping policy: ## Microsoft Custom Elements - |Element|Available| |--- |--- | |parm-query|Yes| @@ -373,7 +381,6 @@ Adding a host-based mapping policy: ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index fecd686326..9e1e9d883b 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -14,6 +14,16 @@ ms.date: 06/18/2019 # WiFi CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. @@ -21,12 +31,12 @@ The WiFi configuration service provider provides the functionality to add or del Programming considerations: -- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. -- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. -- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. -- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\. -- For the WiFi CSP, you cannot use the Replace command unless the node already exists. -- Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure. +- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. +- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. +- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. +- The \*name\_goes\_here*\\ must match \\ *name\_goes\_here*\\. +- For the WiFi CSP, you cannot use the Replace command unless the node already exists. +- Using Proxyis in Windows 10 or Windows 11 client editions (Home, Pro, Enterprise, and Education) will result in failure. The following shows the WiFi configuration service provider in tree format. @@ -41,11 +51,10 @@ WiFi ---------WiFiCost ``` - The following list shows the characteristics and parameters. **Device or User profile** -For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path. +For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path. **Profile** Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. @@ -94,6 +103,7 @@ Supported operations are Get, Add, Delete, and Replace. --> **DisableInternetConnectivityChecks** + > [!Note] > This node has been deprecated since Windows 10, version 1607. @@ -101,8 +111,8 @@ Added in Windows 10, version 1511. Optional. Disable the internet connectivity c Value type is chr. -- True - internet connectivity check is disabled. -- False - internet connectivity check is enabled. +- True - internet connectivity check is disabled. +- False - internet connectivity check is enabled. Supported operations are Get, Add, Delete, and Replace. @@ -139,7 +149,6 @@ Supported operations are Add, Get, Replace and Delete. Value type is integer. ## Examples - These XML examples show how to perform various tasks using OMA DM. ### Add a network @@ -241,8 +250,4 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index 428ed3f3cf..ec27ad59c7 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # Win32AppInventory CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device. @@ -69,7 +78,7 @@ The supported operation is Get. **Win32InstalledProgram/_InstalledProgram_/RegKey** A string that specifies product code or registry subkey. -For MSI-based applications this is the product code. +For MSI-based applications, this is the product code. For applications found in Add/Remove Programs, this is the registry subkey. diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index 015e95075d..f2a5fc1a7b 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -11,7 +11,17 @@ ms.reviewer: manager: dansimp --- -# Win32CompatibilityAppraiser CSP +# Win32CompatibilityAppraiser CSP + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -45,52 +55,64 @@ Win32CompatibilityAppraiser ------------MostRestrictiveSetting --------WerConnectionReport ``` + **./Vendor/MSFT/Win32CompatibilityAppraiser** The root node for the Win32CompatibilityAppraiser configuration service provider. **CompatibilityAppraiser** This represents the state of the Compatibility Appraiser. - **CompatibilityAppraiser/AppraiserConfigurationDiagnosis** This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data. - **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId** The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. -Value type is string. Supported operation is Get. +Value type is string. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid** A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested** -A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. +A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser** A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum** An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. -The values are: -- 0 == Neither the code nor data is of a sufficient version -- 1 == The code version is insufficient but the data version is sufficient -- 2 == The code version is sufficient but the data version is insufficient -- 3 == Both the code and data are of a sufficient version +The values are: + +- 0 == Neither the code nor data is of a sufficient version +- 1 == The code version is insufficient but the data version is sufficient +- 2 == The code version is sufficient but the data version is insufficient +- 3 == Both the code and data are of a sufficient version -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending** -A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. +A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **CompatibilityAppraiser/AppraiserRunResultReport** This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations. @@ -106,45 +128,58 @@ This represents various settings that affect whether the Universal Telemetry Cli **UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn** An integer value representing what level of telemetry will be uploaded. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Security data will be sent -- 1 == Basic telemetry will be sent -- 2 == Enhanced telemetry will be sent -- 3 == Full telemetry will be sent +Supported operation is Get. + +The values are: + +- 0 == Security data will be sent. +- 1 == Basic telemetry will be sent. +- 2 == Enhanced telemetry will be sent. +- 3 == Full telemetry will be sent. **UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn** An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Setting is disabled -- 1 == Setting is enabled -- 2 == Setting is not applicable to this version of Windows +Supported operation is Get. + +The values are: + +- 0 == Setting is disabled. +- 1 == Setting is enabled. +- 2 == Setting is not applicable to this version of Windows. **UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning** -A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. +A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled** -A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. +A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. -Value type is bool. Supported operation is Get. +Value type is bool. + +Supported operation is Get. **UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn** -An integer value representing what websites Internet Explorer will collect telemetry data for. +An integer value representing what websites Internet Explorer will collect telemetry data for. -Value type is integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Telemetry collection is disabled -- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones -- 2 == Telemetry collection is enabled for internet websites and restricted website zones -- 3 == Telemetry collection is enabled for all websites -- 0x7FFFFFFF == Telemetry collection is not configured +Supported operation is Get. + +The values are: + +- 0 == Telemetry collection is disabled. +- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones. +- 2 == Telemetry collection is enabled for internet websites and restricted website zones. +- 3 == Telemetry collection is enabled for all websites. +- 0x7FFFFFFF == Telemetry collection is not configured. **UniversalTelemetryClient/UtcConnectionReport** This provides an XML representation of the UTC connections during the most recent summary period. @@ -160,26 +195,31 @@ This represents various settings that affect whether the Windows Error Reporting **WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn** An integer value indicating the amount of WER data that will be uploaded. -Value type integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == Data will not send due to UTC opt-in -- 1 == Data will not send due to WER opt-in -- 2 == Basic WER data will send but not the complete set of data -- 3 == The complete set of WER data will send +Supported operation is Get. +The values are: + +- 0 == Data will not send due to UTC opt-in. +- 1 == Data will not send due to WER opt-in. +- 2 == Basic WER data will send but not the complete set of data. +- 3 == The complete set of WER data will send. **WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting** An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. -Value type integer. Supported operation is Get. +Value type is integer. -The values are: -- 0 == System telemetry settings are restricting uploads -- 1 == WER basic policies are restricting uploads -- 2 == WER advanced policies are restricting uploads -- 3 == WER consent policies are restricting uploads -- 4 == There are no restrictive settings +Supported operation is Get. + +The values are: + +- 0 == System telemetry settings are restricting upload. +- 1 == WER basic policies are restricting uploads. +- 2 == WER advanced policies are restricting uploads. +- 3 == WER consent policies are restricting uploads. +- 4 == There are no restrictive settings. **WindowsErrorReporting/WerConnectionReport** This provides an XML representation of the most recent WER connections of various types. @@ -190,7 +230,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### Appraiser run result report -``` +```xml @@ -362,7 +402,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### UTC connection report -``` +```xml @@ -440,7 +480,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ### Windows Error Reporting connection report -``` +```xml @@ -638,3 +678,7 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind ``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c8bd5266d0..6e8395ab55 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -14,6 +14,15 @@ ms.date: 11/01/2017 # WindowsAdvancedThreatProtection CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. @@ -40,102 +49,101 @@ WindowsAdvancedThreatProtection The following list describes the characteristics and parameters. **./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** -

The root node for the Windows Defender Advanced Threat Protection configuration service provider. +The root node for the Windows Defender Advanced Threat Protection configuration service provider. -

Supported operation is Get. +Supported operation is Get. **Onboarding** -

Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. +Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **HealthState** -

Node that represents the Windows Defender Advanced Threat Protection health state. +Node that represents the Windows Defender Advanced Threat Protection health state. **HealthState/LastConnected** -

Contains the timestamp of the last successful connection. +Contains the timestamp of the last successful connection. -

Supported operation is Get. +Supported operation is Get. **HealthState/SenseIsRunning** -

Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. +Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. -

The default value is false. +The default value is false. -

Supported operation is Get. +Supported operation is Get. **HealthState/OnboardingState** -

Represents the onboarding state. +Represents the onboarding state. -

Supported operation is Get. +Supported operation is Get. -

The following list shows the supported values: +The following list shows the supported values: -- 0 (default) – Not onboarded. -- 1 – Onboarded +- 0 (default) – Not onboarded. +- 1 – Onboarded **HealthState/OrgId** -

String that represents the OrgID. +String that represents the OrgID. -

Supported operation is Get. +Supported operation is Get. **Configuration** -

Represents Windows Defender Advanced Threat Protection configuration. +Represents Windows Defender Advanced Threat Protection configuration. **Configuration/SampleSharing** -

Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. +Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. -

The following list shows the supported values: +The following list shows the supported values: - 0 – None - 1 (default)– All -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **Configuration/TelemetryReportingFrequency** -

Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. +Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. -

The following list shows the supported values: +The following list shows the supported values: -- 1 (default) – Normal -- 2 - Expedite +- 1 (default) – Normal +- 2 - Expedite -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **Offboarding** -

Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. +Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging** -

Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. +Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. -

Supported operations is Get. +Supported operations is Get. **DeviceTagging/Group** -

Added in Windows 10, version 1709. Device group identifiers. +Added in Windows 10, version 1709. Device group identifiers. -

The data type is a string. +The data type is a string. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. **DeviceTagging/Criticality** -

Added in Windows 10, version 1709. Asset criticality value. Supported values: +Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal - 1 - Critical -

The data type is an integer. +The data type is an integer. -

Supported operations are Get and Replace. +Supported operations are Get and Replace. ## Examples - ```xml @@ -246,15 +254,4 @@ The following list describes the characteristics and parameters. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index b50c42c129..2bcfeacc12 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -14,11 +14,20 @@ ms.date: 02/07/2022 # WindowsAutoPilot CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level. +The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. **./Vendor/MSFT/WindowsAutopilot** @@ -27,3 +36,7 @@ Root node. Supported operation is Get. **HardwareMismatchRemediationData** Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index e489b9b6cd..2c369a5a20 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -13,9 +13,20 @@ manager: dansimp # WindowsDefenderApplicationGuard CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709. The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format. + ``` ./Device/Vendor/MSFT WindowsDefenderApplicationGuard @@ -36,6 +47,7 @@ WindowsDefenderApplicationGuard ----Audit --------AuditApplicationGuard ``` + **./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** Root node. Supported operation is Get. @@ -43,30 +55,37 @@ Root node. Supported operation is Get. Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** -Turn on Microsoft Defender Application Guard in Enterprise Mode. +Turn on Microsoft Defender Application Guard in Enterprise Mode. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. + +Supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: -- 0 - Disable Microsoft Defender Application Guard -- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY -- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004) -- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004) + +- 0 - Disable Microsoft Defender Application Guard. +- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. +- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004). +- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004). **Settings/ClipboardFileType** -Determines the type of content that can be copied from the host to Application Guard environment and vice versa. +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. The following list shows the supported values: + - 1 - Allow text copying. - 2 - Allow image copying. - 3 - Allow text and image copying. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardFileType* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -76,21 +95,25 @@ ADMX Info: **Settings/ClipboardSettings** This policy setting allows you to decide how the clipboard behaves while in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: -The following list shows the supported values: - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. - 1 - Turns On clipboard operation from an isolated session to the host. - 2 - Turns On clipboard operation from the host to an isolated session. - 3 - Turns On clipboard operation in both the directions. > [!IMPORTANT] -> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. +> Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard clipboard settings* - GP name: *AppHVSIClipboardSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -98,13 +121,16 @@ ADMX Info: **Settings/PrintingSettings** -This policy setting allows you to decide how the print functionality behaves while in Application Guard. +This policy setting allows you to decide how the print functionality behaves while in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Disables all print functionality. - 1 - Enables only XPS printing. - 2 - Enables only PDF printing. @@ -123,7 +149,8 @@ The following list shows the supported values: - 15 - Enables all printing. -ADMX Info: +ADMX Info: + - GP Friendly name: *Configure Microsoft Defender Application Guard print settings* - GP name: *AppHVSIPrintingSettings* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -133,11 +160,14 @@ ADMX Info: **Settings/BlockNonEnterpriseContent** This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. - 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. @@ -145,7 +175,8 @@ The following list shows the supported values: > This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled. -ADMX Info: +ADMX Info: + - GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer* - GP name: *BlockNonEnterpriseContent* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -155,16 +186,20 @@ ADMX Info: **Settings/AllowPersistence** This policy setting allows you to decide whether data should persist across different sessions in Application Guard. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard* - GP name: *AllowPersistence* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -172,15 +207,18 @@ ADMX Info: **Settings/AllowVirtualGPU** -Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. +Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. -The following list shows the supported values: +The following list shows the supported values: + - 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. @@ -188,7 +226,8 @@ The following list shows the supported values: > Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard* - GP name: *AllowVirtualGPU* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -196,18 +235,22 @@ ADMX Info: **Settings/SaveFilesToHost** -Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. +Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard* - GP name: *SaveFilesToHost* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -217,9 +260,11 @@ ADMX Info: **Settings/CertificateThumbprints** Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +Value type is string. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. @@ -229,7 +274,8 @@ b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda92 If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device* - GP name: *CertificateThumbprints* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -242,15 +288,18 @@ ADMX Info: **Settings/AllowCameraMicrophoneRedirection** Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. + +This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device. If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device. -The following list shows the supported values: +The following list shows the supported values: + - 0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. @@ -258,7 +307,8 @@ The following list shows the supported values: > If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard* - GP name: *AllowCameraMicrophoneRedirection* - GP path: *Windows Components/Microsoft Defender Application Guard* @@ -268,22 +318,26 @@ ADMX Info: **Status** Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device. -Value type is integer. Supported operation is Get. +Value type is integer. -- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. -- Bit 1 - Set to 1 when the client machine is Hyper-V capable. -- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. -- Bit 3 - Set to 1 when Application Guard installed on the client machine. -- Bit 4 - Set to 1 when required Network Isolation Policies are configured. - > [!IMPORTANT] - > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. -- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. -- Bit 6 - Set to 1 when system reboot is required. +Supported operation is Get. + +- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. +- Bit 1 - Set to 1 when the client machine is Hyper-V capable. +- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. +- Bit 3 - Set to 1 when Application Guard installed on the client machine. +- Bit 4 - Set to 1 when required Network Isolation Policies are configured. + > [!IMPORTANT] + > If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge. +- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. +- Bit 6 - Set to 1 when system reboot is required. **PlatformStatus** Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. - Bit 1 - Set to 1 when the client machine is Hyper-V capable. @@ -297,7 +351,8 @@ Initiates remote installation of Application Guard feature. Supported operations are Get and Execute. -The following list shows the supported values: +The following list shows the supported values: + - Install - Will initiate feature install. - Uninstall - Will initiate feature uninstall. @@ -305,20 +360,28 @@ The following list shows the supported values: Interior node. Supported operation is Get. **Audit/AuditApplicationGuard** -This policy setting allows you to decide whether auditing events can be collected from Application Guard. +This policy setting allows you to decide whether auditing events can be collected from Application Guard. -Value type in integer. Supported operations are Add, Get, Replace, and Delete. +Value type in integer. -This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. +Supported operations are Add, Get, Replace, and Delete. -The following list shows the supported values: +This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode. + +The following list shows the supported values: + - 0 (default) - Audit event logs aren't collected for Application Guard. - 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. -ADMX Info: +ADMX Info: + - GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard* - GP name: *AuditApplicationGuard* - GP path: *Windows Components/Microsoft Defender Application Guard* - GP ADMX file name: *AppHVSI.admx* + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 20530b3267..056fae1e4e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -14,6 +14,16 @@ ms.date: 08/15/2018 # WindowsLicensing CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -40,6 +50,7 @@ WindowsLicensing --------SwitchFromSMode (Added in Windows 10, version 1809) --------Status (Added in Windows 10, version 1809) ``` + **./Device/Vendor/MSFT/WindowsLicensing** This is the root node for the WindowsLicensing configuration service provider. @@ -51,21 +62,17 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices. > [!NOTE] > This upgrade process requires a system restart. - - The date type is a chr. The supported operation is Exec. -When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. +When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. > [!IMPORTANT] > If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. - - If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. @@ -75,24 +82,22 @@ This node can also be used to activate or change a product key on a particular e > [!IMPORTANT] > The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. - - The following are valid edition upgrade paths when using this node through an MDM: -- Windows 10 Enterprise to Windows 10 Education -- Windows 10 Home to Windows 10 Education -- Windows 10 Pro to Windows 10 Education -- Windows 10 Pro to Windows 10 Enterprise +- Windows 10/Windows 11 Enterprise to Windows 10/ Windows 11 Education +- Windows 10/Windows 11 Home to Windows 10/Windows 11 Education +- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Education +- Windows 10/Windows 11 Pro to Windows 10/Windows 11 Enterprise Activation or changing a product key can be carried out on the following editions: -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Home -- Windows 10 Pro +- Windows 10/Windows 11 Education +- Windows 10/Windows 11 Enterprise +- Windows 10/Windows 11 Home +- Windows 10/Windows 11 Pro **Edition** -Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. +Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. The data type is an Int. @@ -101,11 +106,11 @@ The supported operation is Get. **Status** Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values: -- 0 = Failed -- 1 = Pending -- 2 = In progress -- 3 = Completed -- 4 = Unknown +- 0 = Failed +- 1 = Pending +- 2 = In progress +- 3 = Completed +- 4 = Unknown The data type is an Int. @@ -136,23 +141,23 @@ The following are valid edition upgrade paths when using this node through an MD --> **LicenseKeyType** -Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. +Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change. -- Windows 10 client devices require a product key. +- Windows 10 or Windows 11 client devices require a product key. The data type is a chr. The supported operation is Get. **CheckApplicability** -Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices. +Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices. The data type is a chr. The supported operation is Exec. **ChangeProductKey** -Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. +Added in Windows 10, version 1703. Installs a product key for Windows 10 or Windows 11 desktop devices. Does not reboot. The data type is a chr. @@ -184,32 +189,37 @@ Interior node for managing S mode. **SMode/SwitchingPolicy** Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. -Supported values: -- 0 - No Restriction: The user is allowed to switch the device out of S mode. -- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. +Supported operations are Add, Get, Replace, and Delete. + +Supported values: + +- 0 - No Restriction: The user is allowed to switch the device out of S mode. +- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. **SMode/SwitchFromSMode** Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) Supported operation is Execute. -**SMode/Status** +**SMode/Status** Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) -Value type is integer. Supported operation is Get. +Value type is integer. + +Supported operation is Get. Values: -- Request fails with error code 404 - no SwitchFromSMode request has been made. -- 0 - The device successfully switched out of S mode -- 1 - The device is processing the request to switch out of S mode -- 3 - The device was already switched out of S mode -- 4 - The device failed to switch out of S mode + +- Request fails with error code 404 - no SwitchFromSMode request has been made. +- 0 - The device successfully switched out of S mode. +- 1 - The device is processing the request to switch out of S mode. +- 3 - The device was already switched out of S mode. +- 4 - The device failed to switch out of S mode. ## SyncML examples - **CheckApplicability** ```xml @@ -235,8 +245,6 @@ Values: > [!NOTE] > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. - - **Edition** ```xml From 41adbd658676b789ebb12db0d54094fe92c84e9c Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:18:53 +0530 Subject: [PATCH 06/25] Resolved comments --- windows/client-management/mdm/applicationcontrol-csp.md | 2 +- windows/client-management/mdm/applocker-csp.md | 2 +- windows/client-management/mdm/cellularsettings-csp.md | 2 +- windows/client-management/mdm/certificatestore-csp.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index cabf6a14e7..daf90cbbe7 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -17,7 +17,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 4b2ed6a6c1..62a83e99c6 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index a58bfbc722..ec815ec6d0 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 253d908516..ba6c37f41f 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From 29efe5f7958b6f634b7432f2fcc4553dd7a01b08 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 25 Mar 2022 09:44:13 +0530 Subject: [PATCH 07/25] Acrolinx fixes --- .../mdm/applicationcontrol-csp.md | 26 +++++++------- .../client-management/mdm/applocker-csp.md | 34 +++++++++---------- .../mdm/certificatestore-csp.md | 8 ++--- 3 files changed, 34 insertions(+), 34 deletions(-) diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index daf90cbbe7..69126b6352 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -23,7 +23,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot. Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. @@ -92,14 +92,14 @@ Scope is dynamic. Supported operation is Get. Value type is char. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsEffective** -This node specifies whether a policy is actually loaded by the enforcement engine and is in effect on a system. +This node specifies whether a policy is loaded by the enforcement engine and is in effect on a system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is actually loaded by the enforcement engine and is in effect on a system. -- False — Indicates that the policy is not loaded by the enforcement engine and is not in effect on a system. This is the default. +- True—Indicates that the policy is loaded by the enforcement engine and is in effect on a system. +- False—Indicates that the policy isn't loaded by the enforcement engine and isn't in effect on a system. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsDeployed** This node specifies whether a policy is deployed on the system and is present on the physical machine. @@ -108,18 +108,18 @@ Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is deployed on the system and is present on the physical machine. -- False — Indicates that the policy is not deployed on the system and is not present on the physical machine. This is the default. +- True—Indicates that the policy is deployed on the system and is present on the physical machine. +- False—Indicates that the policy isn't deployed on the system and isn't present on the physical machine. This is the default. **ApplicationControl/Policies/_Policy GUID_/PolicyInfo/IsAuthorized** -This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy cannot take effect on the system. +This node specifies whether the policy is authorized to be loaded by the enforcement engine on the system. If not authorized, a policy can't take effect on the system. Scope is dynamic. Supported operation is Get. Value type is bool. Supported values are as follows: -- True — Indicates that the policy is authorized to be loaded by the enforcement engine on the system. -- False — Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. +- True—Indicates that the policy is authorized to be loaded by the enforcement engine on the system. +- False—Indicates that the policy is not authorized to be loaded by the enforcement engine on the system. This is the default. The following table provides the result of this policy based on different values of IsAuthorized, IsDeployed, and IsEffective nodes: @@ -156,7 +156,7 @@ For customers using Intune standalone or hybrid management with Microsoft Endpoi ## Generic MDM Server Usage Guidance -In order to leverage the ApplicationControl CSP without using Intune, you must: +In order to use the ApplicationControl CSP without using Intune, you must: 1. Know a generated policy's GUID, which can be found in the policy xml as `` or `` for pre-1903 systems. 2. Convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -183,7 +183,7 @@ To deploy base policy and supplemental policies: 1. Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy. 2. Repeat for each base or supplemental policy (with its own GUID and data). -The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and does'nt need to be reflected in the ADD). +The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy supplements and doesn't need to be reflected in the ADD). #### Example 1: Add first base policy @@ -301,7 +301,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md). ### Setup for using the WMI Bridge @@ -317,7 +317,7 @@ The ApplicationControl CSP can also be managed locally from PowerShell or via Mi ### Deploying a policy via WMI Bridge -Run the following command. PolicyID is a GUID which can be found in the policy xml, and should be used here without braces. +Run the following command. PolicyID is a GUID, which can be found in the policy xml, and should be used here without braces. ```powershell New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{ParentID="./Vendor/MSFT/ApplicationControl/Policies";InstanceID="";Policy=$policyBase64} diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 62a83e99c6..a368b2d0ec 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. The following shows the AppLocker configuration service provider in tree format. @@ -108,7 +108,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/EXE/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -132,7 +132,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/MSI/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -151,7 +151,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/Script/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -170,7 +170,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/StoreApps/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -189,7 +189,7 @@ Data type is string. Supported operations are Get, Add, Delete, and Replace. **AppLocker/ApplicationLaunchRestrictions/_Grouping_/DLL/EnforcementMode** -The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). +The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). The data type is a string. @@ -216,9 +216,9 @@ Supported operations are Get, Add, Delete, and Replace. > To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker-CSP. **AppLocker/EnterpriseDataProtection** -Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). +Captures the list of apps that are allowed to handle enterprise data. Should be used with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607, the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: @@ -237,7 +237,7 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. **AppLocker/EnterpriseDataProtection/_Grouping_** Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job is to determine what their purpose is, and to not conflict with other identifiers that they define. @@ -271,7 +271,7 @@ Supported operations are Get, Add, Delete, and Replace. **To find Publisher and PackageFullName of apps:** -1. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +1. On your phone under **Device discovery**, tap **Pair**. You'll get a code (case sensitive). 2. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. The **Device Portal** page opens on your browser. @@ -279,11 +279,11 @@ Supported operations are Get, Add, Delete, and Replace. ![device portal screenshot.](images/applocker-screenshot1.png) 3. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. -4. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. +4. On the **App Manager** page under **Running apps**, you'll see the **Publisher** and **PackageFullName** of apps. ![device portal app manager.](images/applocker-screenshot3.png) -5. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. +5. If you don't see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. ![app manager.](images/applocker-screenshot2.png) @@ -295,7 +295,7 @@ The following table shows the mapping of information to the AppLocker publisher |Publisher|Publisher| |Version|Version: This can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| -Here is an example AppLocker publisher rule: +Here's an example AppLocker publisher rule: ```xml @@ -319,7 +319,7 @@ Request URI: https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata ``` -Here is the example for Microsoft OneNote: +Here's the example for Microsoft OneNote: Request @@ -342,11 +342,11 @@ Result |--- |--- | |packageIdentityName|ProductName| |publisherCertificateName|Publisher| -|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there is a XAP package associated with the app in the Store.

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| +|windowsPhoneLegacyId|Same value maps to the ProductName and Publisher name.

This value will only be present if there's a XAP package associated with the app in the Store.

If this value is populated, then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and another one using the windowsPhoneLegacyId value.| ## Settings apps that rely on splash apps -These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. +These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. @@ -1285,7 +1285,7 @@ The following example for Windows 10 Holographic for Business denies all apps an ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. +The following example for Windows 10, version 1607, denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator doesn't accidentally make these apps that are Windows Information Protection allowed, and will avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index ba6c37f41f..4870706fd5 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -30,7 +30,7 @@ The CertificateStore configuration service provider is used to add secure socket > The CertificateStore configuration service provider does not support installing client certificates. > The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. -For the CertificateStore CSP, you cannot use the Replace command, unless the node already exists. +For the CertificateStore CSP, you can't use the Replace command, unless the node already exists. The following shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. @@ -131,7 +131,7 @@ Supported operation is Get. > CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. **My/User** -Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. +Defines the certificate store that contains public keys for client certificates. It is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. Supported operation is Get. @@ -139,7 +139,7 @@ Supported operation is Get. > My/User is case sensitive. **My/System** -Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. +Defines the certificate store that contains public key for client certificate. It is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. Supported operation is Get. @@ -371,7 +371,7 @@ Optional. Specifies the URL of certificate renewal server. If this node doesn't Supported operations are Add, Get, Delete, and Replace. **My/WSTEP/Renew/RenewalPeriod** -Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. +Optional. specifies the time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1 – 1000. Value type is an integer. From 9ad5a17efaa9e7940e4e65a5877e7ba35ec97b01 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 31 Mar 2022 10:03:35 +0530 Subject: [PATCH 08/25] CSP impovement : part 2 The updates were made as per Task: 5864419. Thanks! --- .../mdm/accountmanagement-ddf.md | 7 ++- .../mdm/accounts-ddf-file.md | 11 ++-- .../mdm/activesync-ddf-file.md | 14 +---- .../mdm/alljoynmanagement-ddf.md | 14 +---- .../mdm/applicationcontrol-csp-ddf.md | 29 +++++----- .../mdm/applocker-ddf-file.md | 14 +---- .../mdm/assignedaccess-ddf.md | 18 ++----- .../mdm/bitlocker-ddf-file.md | 4 ++ .../mdm/certificatestore-ddf-file.md | 26 ++++----- windows/client-management/mdm/cleanpc-ddf.md | 16 ++---- .../mdm/clientcertificateinstall-csp.md | 24 ++++----- .../mdm/clientcertificateinstall-ddf-file.md | 53 ++++++++----------- .../client-management/mdm/wifi-ddf-file.md | 4 +- .../mdm/win32appinventory-ddf-file.md | 14 +---- .../mdm/win32compatibilityappraiser-ddf.md | 34 ++++++------ .../windowsadvancedthreatprotection-ddf.md | 34 ++++-------- .../mdm/windowsautopilot-ddf-file.md | 8 ++- ...indowsdefenderapplicationguard-ddf-file.md | 10 ++-- .../mdm/windowslicensing-ddf-file.md | 12 +++-- 19 files changed, 139 insertions(+), 207 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index c4c26237bc..51380b7ed8 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -13,7 +13,6 @@ manager: dansimp # AccountManagement DDF file - This topic shows the OMA DM device description framework (DDF) for the **AccountManagement** configuration service provider. The XML below is for Windows 10, version 1803. @@ -74,7 +73,7 @@ The XML below is for Windows 10, version 1803. false - Enable profile lifetime mangement for shared or communal device scenarios. + Enable profile lifetime management for shared or communal device scenarios. @@ -198,3 +197,7 @@ The XML below is for Windows 10, version 1803. ``` + +## Related topics + +[AccountManagement configuration service provider](accountmanagement-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index 9d91061818..5b7cd47d49 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,6 +1,6 @@ --- title: Accounts DDF file -description: XML file containing the device description framework (DDF) for the Accounts configuration service provider. +description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -13,10 +13,9 @@ manager: dansimp # Accounts CSP - This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider. -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, version 1803 and later. ```xml @@ -157,7 +156,7 @@ The XML below is for Windows 10, version 1803. 1 - This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. + This optional node specifies the local user group that a local user account should be joined. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. @@ -177,3 +176,7 @@ The XML below is for Windows 10, version 1803. ``` + +## Related topics + +[Accounts configuration service provider](accounts-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index dae70c2133..1b592ff96e 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # ActiveSync DDF file - This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -533,7 +532,7 @@ The XML below is the current version for this CSP. - Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} + Enables or disables syncing email, contacts, task, and calendar. Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} @@ -679,15 +678,4 @@ The XML below is the current version for this CSP. ## Related topics - [ActiveSync configuration service provider](activesync-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 77494eaf9f..961f8f1183 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # AllJoynManagement DDF - This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -238,7 +237,7 @@ It is typically implemented as a GUID. - An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard + An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard. @@ -328,15 +327,4 @@ It is typically implemented as a GUID. ## Related topics - [AllJoynManagement configuration service provider](alljoynmanagement-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 5c44ba2dc1..2c91bf430b 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -11,13 +11,10 @@ ms.date: 07/10/2019 # ApplicationControl CSP DDF - This topic shows the OMA DM device description framework (DDF) for the **ApplicationControl** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -### ApplicationControl CSP - ```xml - Root Node of the ApplicationControl CSP + Root Node of the ApplicationControl CSP. @@ -73,7 +70,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The GUID of the Policy + The GUID of the Policy. @@ -97,7 +94,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The policy binary encoded as base64 + The policy binary encoded as base64. @@ -119,7 +116,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Information Describing the Policy indicated by the GUID + Information Describing the Policy indicated by the GUID. @@ -140,7 +137,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Version of the Policy indicated by the GUID, as a string. When parsing use a uint64 as the containing data type + Version of the Policy indicated by the GUID, as a string. When parsing, use a uint64 as the containing data type. @@ -162,7 +159,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is Effective on the system (loaded by the enforcement engine and in effect) + Whether the Policy indicated by the GUID is effective on the system (loaded by the enforcement engine and in effect). @@ -184,7 +181,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is deployed on the system (on the physical machine) + Whether the Policy indicated by the GUID is deployed on the system (on the physical machine). @@ -206,7 +203,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system + Whether the Policy indicated by the GUID is authorized to be loaded by the enforcement engine on the system. @@ -228,7 +225,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The Current Status of the Policy Indicated by the Policy GUID + The Current Status of the Policy Indicated by the Policy GUID. @@ -250,7 +247,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - The FriendlyName of the Policy Indicated by the Policy GUID + The FriendlyName of the Policy Indicated by the Policy GUID. @@ -271,4 +268,8 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic -``` \ No newline at end of file +``` + +## Related topics + +[ApplicationControl configuration service provider](applicationcontrol-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index 7bde68650f..2f322128e5 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # AppLocker DDF file - This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -672,15 +671,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic ## Related topics - -[AppLocker configuration service provider](applocker-csp.md) - -  - -  - - - - - - +[AppLocker configuration service provider](applocker-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index c6d84bf203..cfd6b5f4bd 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,6 +1,6 @@ --- title: AssignedAccess DDF -description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. +description: Learn about the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 ms.reviewer: manager: dansimp @@ -14,7 +14,6 @@ ms.date: 02/22/2018 # AssignedAccess DDF - This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. You can download the DDF files from the links below: @@ -22,7 +21,7 @@ You can download the DDF files from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -The XML below is for Windows 10, version 1803. +The XML below is for Windows 10, version 1803 and later. ```xml @@ -119,7 +118,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu - This read only node contains kiosk health event in xml + This read only node contains kiosk health event in xml. @@ -197,15 +196,4 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu ## Related topics - [AssignedAccess configuration service provider](assignedaccess-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 06e6fdd613..db4049e60e 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -937,3 +937,7 @@ Supported Values: String form of request ID. Example format of request ID is GUI ``` + +## Related topics + +[BitLocker configuration service provider](bitlocker-csp.md) diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index da503f9902..e7ebbe235d 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # CertificateStore DDF file - This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -458,7 +457,7 @@ The XML below is the current version for this CSP. - The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. + The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. @@ -585,7 +584,7 @@ The XML below is the current version for this CSP. - This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. + This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment. @@ -627,7 +626,7 @@ The XML below is the current version for this CSP. - The group to represent the install request + The group to represent the install request. @@ -1241,7 +1240,7 @@ The XML below is the current version for this CSP. - If certificate renew fails, this node provide the last hresult code during renew process. + If certificate renew fails, this node provides the last hresult code during renew process. @@ -1262,7 +1261,7 @@ The XML below is the current version for this CSP. - Time of last attempted renew + Time of last attempted renew. @@ -1283,7 +1282,7 @@ The XML below is the current version for this CSP. - Initiate a renew now + Initiate a renew now. @@ -1305,7 +1304,7 @@ The XML below is the current version for this CSP. - How long after the enrollment cert has expiried to keep trying to renew + How long after the enrollment cert has expired to keep trying to renew. @@ -1372,7 +1371,7 @@ The XML below is the current version for this CSP. - The base64 Encoded X.509 certificate + The base64 Encoded X.509 certificate. @@ -1667,11 +1666,6 @@ The XML below is the current version for this CSP. ``` -  - -  - - - - +## Related topics +[CertificateStore configuration service provider](certificatestore-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index 1f2c1fa3f7..9e4fbdbf1b 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -34,7 +34,7 @@ The XML below is the current version for this CSP. - Allow removal of user installed and pre-installed applications, with option to persist user data + Allow removal of user installed and pre-installed applications, with option to persist user data. @@ -54,7 +54,7 @@ The XML below is the current version for this CSP. - CleanPC operation without any retention of User data + CleanPC operation without any retention of User data. @@ -75,7 +75,7 @@ The XML below is the current version for this CSP. - CleanPC operation with retention of User data + CleanPC operation with retention of User data. @@ -94,12 +94,6 @@ The XML below is the current version for this CSP. ``` -  - -  - - - - - +## Related topics +[CleanPC configuration service provider](cleanpc-csp.md) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 2eb4d0d758..a28a841d41 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -1,6 +1,6 @@ --- title: ClientCertificateInstall CSP -description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. +description: Learn how the ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates. ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 ms.reviewer: manager: dansimp @@ -19,7 +19,7 @@ The ClientCertificateInstall configuration service provider enables the enterpri For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. > [!Note] -> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. @@ -99,7 +99,7 @@ The data type is an integer corresponding to one of the following values: | 1 | Install to TPM if present, fail if not present. | | 2 | Install to TPM if present. If not present, fall back to software. | | 3 | Install to software. | -| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | +| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. | **ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail. @@ -119,7 +119,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail. -In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)). **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** Password that protects the PFX blob. This is required if the PFX is password protected. @@ -133,9 +133,9 @@ Optional. Used to specify whether the PFX certificate password is encrypted with The data type is int. Valid values: -- 0 - Password isn't encrypted. -- 1 - Password is encrypted with the MDM certificate. -- 2 - Password is encrypted with custom certificate. +- 0 - Password isn't encrypted. +- 1 - Password is encrypted with the MDM certificate. +- 2 - Password is encrypted with custom certificate. When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. @@ -187,7 +187,7 @@ A node required for SCEP certificate enrollment. Parent node to group SCEP cert Supported operations are Get, Add, Replace, and Delete. > [!Note] -> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. +> Although the child nodes under Install supports Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -322,9 +322,9 @@ Data type is string. Valid values are: -- Days (Default) -- Months -- Years +- Days (Default) +- Months +- Years > [!NOTE] > The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. @@ -608,7 +608,7 @@ Enroll a client certificate through SCEP. ``` -Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store. +Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store. ```xml diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 46bb00affa..492a95c621 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -107,7 +107,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha - Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add. Datatype will be int 1- Install to TPM, fail if not present 2 – Install to TPM if present, if not present fallback to Software @@ -138,8 +138,8 @@ Calling Delete on the this node, should delete the certificates and the keys tha Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. -Format is chr -Supported operations are Get, Add, Delete and Replace +Format is chr. +Supported operations are Get, Add, Delete and Replace. @@ -165,8 +165,8 @@ Supported operations are Get, Add, Delete and Replace Required. CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. -Format is Binary64 -Supported operations are Get, Add, Replace +Format is Binary64. +Supported operations are Get, Add, Replace. If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate @@ -197,7 +197,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo Required if PFX is password protected. Password that protects the PFX blob. -Format is chr. Supported operations are Add, Get +Format is chr. Supported operations are Add, Get. @@ -228,7 +228,7 @@ If the value is 1- Password is encrypted using the MDM certificate by the MDM server 2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. The datatype for this node is int. -Supported operations are Add, Replace +Supported operations are Add, Replace. @@ -254,7 +254,7 @@ Supported operations are Add, Replace true Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool. -Supported operations are Add, Get +Supported operations are Add, Get. @@ -299,7 +299,7 @@ Supported operations are Add, Get Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int. -Support operations are Get +Support operations are Get. @@ -374,7 +374,7 @@ Support operation are Add, Get and Replace. Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. Format is node. -Supported operations are Get, Add, Delete +Supported operations are Get, Add, Delete. Calling Delete on the this node, should delete the corresponding SCEP certificate @@ -401,7 +401,7 @@ Calling Delete on the this node, should delete the corresponding SCEP certificat Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete. -NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. +NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. @@ -570,7 +570,7 @@ SCEP enrolled cert doesn’t support TPM PIN protection. Supported values: Format is int. -Supported operations are Get, Add, Delete, Replace +Supported operations are Get, Add, Delete, Replace. @@ -604,7 +604,7 @@ The min value is 1. Format is int. -Supported operations are Get, Add, Delete noreplace +Supported operations are Get, Add, Delete noreplace. @@ -654,7 +654,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele - Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace + Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace. @@ -819,7 +819,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio 0 - Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Format is int. @@ -852,9 +852,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio Optional. Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. -Format is chr +Format is chr. -Supported operations are Get, Add, Delete and Replace +Supported operations are Get, Add, Delete and Replace. @@ -880,9 +880,9 @@ Supported operations are Get, Add, Delete and Replace Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. -Format is chr +Format is chr. -Supported operations are Get, Add, Delete and Replace +Supported operations are Get, Add, Delete and Replace. @@ -1029,9 +1029,9 @@ Supported operation is Get. Required. Returns the URL of the SCEP server that responded to the enrollment request. -Format is String +Format is String. -Supported operation is Get +Supported operation is Get. @@ -1054,15 +1054,4 @@ Supported operation is Get ## Related topics - [ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index c64fc0e3c2..cb88b8e71a 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -15,11 +15,11 @@ ms.date: 06/28/2018 # WiFi DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index a70763abb9..0f56a61d98 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # Win32AppInventory DDF file - This topic shows the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -274,15 +273,4 @@ The XML below is the current version for this CSP. ## Related topics - -[Win32AppInventory configuration service provider](win32appinventory-csp.md) - -  - -  - - - - - - +[Win32AppInventory configuration service provider](win32appinventory-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 05237311f1..057c668a74 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -1,6 +1,6 @@ --- title: Win32CompatibilityAppraiser DDF file -description: XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. +description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,13 +14,13 @@ manager: dansimp # Win32CompatibilityAppraiser DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Win32CompatibilityAppraiser** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml @@ -98,7 +98,7 @@ The XML below is for Windows 10, version 1809. - The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. + The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded. @@ -120,7 +120,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. + A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces. @@ -142,7 +142,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. + A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked. @@ -186,7 +186,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". + An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data. The values are: 0 == "Neither the code nor data is of a sufficient version", 1 == "The code version is insufficient but the data version is sufficient", 2 == "The code version is sufficient but the data version is insufficient", and 3 == "Both the code and data are of a sufficient version". @@ -208,7 +208,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. + A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent. @@ -296,7 +296,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". + An integer value representing what level of telemetry will be uploaded. The values are: 0 == "Security data will be sent", 1 == "Basic telemetry will be sent", 2 == "Enhanced telemetry will be sent", and 3 == "Full telemetry will be sent". @@ -318,7 +318,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". + An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload. The values are: 0 == "Setting is disabled", 1 == "Setting is enabled", and 2 == "Setting is not applicable to this version of Windows". @@ -340,7 +340,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. + A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data. @@ -362,7 +362,7 @@ The XML below is for Windows 10, version 1809. - A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. + A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. @@ -384,7 +384,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". + An integer value representing what websites Internet Explorer will collect telemetry data for. The values are: 0 == "Telemetry collection is disabled", 1 == "Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones", 2 == "Telemetry collection is enabled for internet websites and restricted website zones", 3 == "Telemetry collection is enabled for all websites", and 0x7FFFFFFF == "Telemetry collection is not configured". @@ -472,7 +472,7 @@ The XML below is for Windows 10, version 1809. - An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". + An integer value indicating the amount of WER data that will be uploaded. The values are: 0 == "Data will not send due to UTC opt-in", 1 == "Data will not send due to WER opt-in", 2 == "Basic WER data will send but not the complete set of data", and 3 == "The complete set of WER data will send". @@ -494,7 +494,7 @@ The XML below is for Windows 10, version 1809. - An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". + An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted. The values are: 0 == "System telemetry settings are restricting uploads", 1 == "WER basic policies are restricting uploads", 2 == "WER advanced policies are restricting uploads", 3 == "WER consent policies are restricting uploads", and 4 == "There are no restrictive settings". @@ -537,3 +537,7 @@ The XML below is for Windows 10, version 1809. ``` + +## Related topics + +[Win32CompatibilityAppraiser configuration service provider](win32compatibilityappraiser-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index 93b378c6f0..044557e1f2 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -1,6 +1,6 @@ --- title: WindowsAdvancedThreatProtection DDF file -description: Learn how the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). +description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 ms.reviewer: manager: dansimp @@ -14,7 +14,6 @@ ms.date: 12/05/2017 # WindowsAdvancedThreatProtection DDF file - This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). @@ -56,7 +55,7 @@ The XML below is the current version for this CSP. - Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection + Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection. @@ -77,7 +76,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection Health State + Represents Windows Defender Advanced Threat Protection Health State. @@ -119,7 +118,7 @@ The XML below is the current version for this CSP. false - Return Windows Defender Advanced Threat Protection service running state + Return Windows Defender Advanced Threat Protection service running state. @@ -141,7 +140,7 @@ The XML below is the current version for this CSP. 0 - Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded + Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded. @@ -184,7 +183,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection Configuration + Represents Windows Defender Advanced Threat Protection Configuration. @@ -206,7 +205,7 @@ The XML below is the current version for this CSP. 1 - Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All + Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All. @@ -229,7 +228,7 @@ The XML below is the current version for this CSP. 1 - Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite + Return or set Windows Defender Advanced Threat Protection diagnostic data reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite. @@ -253,7 +252,7 @@ The XML below is the current version for this CSP. - Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding + Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding. @@ -274,7 +273,7 @@ The XML below is the current version for this CSP. - Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging + Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging. @@ -343,15 +342,4 @@ The XML below is the current version for this CSP. ## Related topics - -[Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - +[WindowsAdvancedThreatProtection configuration service provider](windowsadvancedthreatprotection-csp.md) diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index a07f24501d..6f550affd0 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -14,7 +14,7 @@ manager: dansimp # WindowsAutoPilot DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider. @@ -27,7 +27,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic - These settings enable configuration of Windows Autopilot + These settings enable configuration of Windows Autopilot. @@ -74,3 +74,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic ``` + +## Related topics + +[WindowsAutopilot configuration service provider](windowsautopilot-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index c4c0409389..d910c1b600 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard DDF file -description: learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). +description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 @@ -14,13 +14,13 @@ manager: dansimp # WindowsDefenderApplicationGuard DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -This XML is for Windows 10, version 1809. +This XML is for Windows 10, version 1809 and later. ```xml @@ -481,3 +481,7 @@ This XML is for Windows 10, version 1809. ``` + +## Related topics + +[WindowsDefenderApplicationGuard configuration service provider](windowsdefenderapplicationguard-csp.md) \ No newline at end of file diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 5286cedaa2..bdce69a6f7 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -15,13 +15,13 @@ ms.date: 07/16/2017 # WindowsLicensing DDF file > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1809. +The XML below is for Windows 10, version 1809 and later. ```xml @@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809. - Returns a value that maps to the Windows 10 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + Returns a value that maps to the Windows 10 or Windows 11 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. @@ -128,7 +128,7 @@ The XML below is for Windows 10, version 1809. - Returns the status of an edition upgrade on Windows 10 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown + Returns the status of an edition upgrade on Windows 10 or Windows 11 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown @@ -349,3 +349,7 @@ The XML below is for Windows 10, version 1809. ``` + +## Related topics + +[WindowsLicensing configuration service provider](windowslicensing-csp.md) \ No newline at end of file From 7bcdef0327ae2e8d73f0bae15d115539d9b61c06 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 09:18:42 +0530 Subject: [PATCH 09/25] Updated ActiveSync as per feedback --- windows/client-management/mdm/activesync-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index bb6bd752f3..15b60ded18 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From c43af9ad5de1811e1af7a8e6473a2e395940a874 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 12:55:27 +0530 Subject: [PATCH 10/25] Updated as per review comments --- .../mdm/cm-cellularentries-csp.md | 2 +- windows/client-management/mdm/cmpolicy-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 2 +- .../client-management/mdm/windowsautopilot-csp.md | 14 +++++++------- .../client-management/mdm/windowslicensing-csp.md | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 7a057f91e2..da022a5067 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 3cf035b06c..d87631e417 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 9e1e9d883b..76b0d74e1d 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 2bcfeacc12..a0d6174d4c 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -1,5 +1,5 @@ --- -title: WindowsAutoPilot CSP +title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 ms.reviewer: @@ -12,17 +12,17 @@ author: dansimp ms.date: 02/07/2022 --- -# WindowsAutoPilot CSP +# WindowsAutopilot CSP The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Home|No|Yes| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 056fae1e4e..42c1d273f6 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|No| +|Home|Yes|Yes| |Pro|Yes|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| From 1a9d521eb31462b8abdae7bea45a4f64ad45d474 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Fri, 1 Apr 2022 13:12:54 +0530 Subject: [PATCH 11/25] Updated --- .../client-management/mdm/windowsautopilot-ddf-file.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index 6f550affd0..d6f71e89a4 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -1,6 +1,6 @@ --- -title: WindowsAutoPilot DDF file -description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutoPilot DDF file configuration service provider (CSP) . +title: WindowsAutopilot DDF file +description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) . ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,12 +11,12 @@ ms.reviewer: manager: dansimp --- -# WindowsAutoPilot DDF file +# WindowsAutopilot DDF file > [!WARNING] > Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic shows the device description framework (DDF) for the **WindowsAutoPilot** configuration service provider. +This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). From a585e6277eded864166ae4d90201ee7a05622af6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:02:15 +0530 Subject: [PATCH 12/25] As per feedback added a table --- .../mdm/clientcertificateinstall-csp.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index a28a841d41..6803c2f873 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -14,6 +14,16 @@ ms.date: 07/30/2021 # ClientCertificateInstall CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|---|---|---| +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block. From a0dd5a10150255386f54bef6426384a5cdbaf700 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:28:27 +0530 Subject: [PATCH 13/25] Updated --- windows/client-management/mdm/cleanpc-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index c6c0b2d293..da1893f548 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 00e63055e9c2771c383fbd62a1c4df26447a874f Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 27 Apr 2022 11:26:16 +0530 Subject: [PATCH 14/25] Updated as per feedback --- windows/client-management/mdm/toc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index ee13358bb5..0027a560db 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -963,10 +963,10 @@ items: items: - name: WindowsAdvancedThreatProtection DDF file href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutoPilot CSP + - name: WindowsAutopilot CSP href: windowsautopilot-csp.md items: - - name: WindowsAutoPilot DDF file + - name: WindowsAutopilot DDF file href: windowsautopilot-ddf-file.md - name: WindowsDefenderApplicationGuard CSP href: windowsdefenderapplicationguard-csp.md From 4516a5dc251b3282d8aa17d5a17e419b1f5184b7 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 2 May 2022 09:51:30 +0530 Subject: [PATCH 15/25] Updated as per review comments --- windows/client-management/mdm/cleanpc-csp.md | 2 +- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index da1893f548..454f964acd 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Business|Yes|Yes| +|Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index a0d6174d4c..1f1f11f0bd 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|Yes| +|Home|No|No| |Pro|No|Yes| |Business|No|Yes| |Enterprise|No|Yes| From 3506c7eb64f0a5e9718edfb5eefc771deaf3f8b1 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 10 May 2022 08:53:39 +0530 Subject: [PATCH 16/25] Updated as per feedback --- .../mdm/configuration-service-provider-reference.md | 2 +- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 56bcf98029..366de01a73 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1019,7 +1019,7 @@ Additional lists: |Home|Pro|Business|Enterprise|Education| |--- |--- |--- |--- |--- | -|No|Yes|Yes|Yes|Yes| +|No|No|Yes|Yes|Yes| diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index b816d0954d..da2a13cfa9 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -18,7 +18,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 65878e3b25961ba6af856317a223926c778dc5fc Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 10 May 2022 14:38:46 +0530 Subject: [PATCH 17/25] updated --- .../mdm/configuration-service-provider-reference.md | 2 +- .../mdm/windowsdefenderapplicationguard-csp.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 366de01a73..e87f25aa49 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -1019,7 +1019,7 @@ Additional lists: |Home|Pro|Business|Enterprise|Education| |--- |--- |--- |--- |--- | -|No|No|Yes|Yes|Yes| +|No|No|No|Yes|Yes| diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index da2a13cfa9..0ec8ff5709 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Business|Yes|Yes| +|Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 854fe4e04817e3ef2b8f95ab2b57c700e01e7d97 Mon Sep 17 00:00:00 2001 From: "JerryAbo [MSFT]" <94194023+jerryabo@users.noreply.github.com> Date: Thu, 12 May 2022 16:31:56 -0500 Subject: [PATCH 18/25] Update policy-csp-devicelock.md removed unnecessary character --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 17f1c7e4b9..44f87d8987 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -73,7 +73,7 @@ manager: dansimp

> [!Important] -> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)). +> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). **DeviceLock/AllowIdleReturnWithoutPassword** From 30e136872038205e7c8c8d52b11222ab93a8b75e Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 12 May 2022 19:55:54 -0700 Subject: [PATCH 19/25] fix links and general review --- ...control-and-logging-for-enterprise-mode.md | 29 +- .../internet-explorer/internet-explorer.yml | 2 - windows/deployment/images/download_vhd.png | Bin 10737 -> 0 bytes .../windows-10-enterprise-faq-itpro.yml | 60 +- .../windows-10-poc-sc-config-mgr.md | 665 +++++++++--------- windows/deployment/windows-10-poc.md | 325 ++++----- .../demonstrate-deployment-on-vm.md | 127 ++-- .../secure-the-windows-10-boot-process.md | 111 ++- 8 files changed, 663 insertions(+), 656 deletions(-) delete mode 100644 windows/deployment/images/download_vhd.png diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index 897b27ceed..6290d3a462 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -23,11 +23,11 @@ ms.date: 07/27/2017 **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) You can turn on local control of Enterprise Mode so that your users can turn Enterprise Mode on from the **Tools** menu. Turning on this feature also adds the **Enterprise** browser profile to the **Emulation** tab of the F12 developer tools. @@ -53,16 +53,13 @@ Besides turning on this feature, you also have the option to provide a URL for E Your **Value data** location can be any of the following types: -- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
- The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. -- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. +- **URL location**, for example: `https://www.emieposturl.com/api/records` or `https://localhost:13000`. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu. + + > [!Important] + > The `https://www.emieposturl.com/api/records` example will only work if you've downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) article. If you don't have the sample, you won't have the web API. + +- **Local network location**, for example: `https://emieposturl/`. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. + +- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won't collect any logging data. For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). - - - - - - - diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 27e231694f..17fad3f1dd 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -34,8 +34,6 @@ landingContent: url: /lifecycle/faq/internet-explorer-microsoft-edge - linkListType: download links: - - text: Download IE11 with Windows 10 - url: https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise - text: Enterprise Mode Site List Manager (schema, v.2) url: https://www.microsoft.com/download/details.aspx?id=49974 - text: Cumulative security updates for Internet Explorer 11 diff --git a/windows/deployment/images/download_vhd.png b/windows/deployment/images/download_vhd.png deleted file mode 100644 index 248a512040210ce7bd95cd5f4a6ca69233f76d4a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10737 zcmch7cQ{;M+wKq(okS1Of?&u*kKQFnbVD$DL~p~W(MzI)s7dtbW*A)ziBW+W3|*(j03E;a)*&6Q}8?mDJKT85ng&~;#d|5QKuV=DiS;G`dq9ZY(zeA zm8wujc2d*PIoI&CMC*&(13t01mQY#{^X(4Tn>PhFHI!*ouIWTV%DJt^B{+2q*F6bjrBV*>6vUKkL&A-P>8{GC7roW; zoUNH-KS03Pm9znJ(u`phde4lvgBG5jyVv&aDOZ&7Zw-mD%RlHpe(crnLM5cvNPizO z6H;7UTBu#aW5y)E@k?XhgLzc0ip3H6o6Vr$xN(4))Z5`C2fjJazm#09go zE5!nrY+VCAJ(FZ+?y_OKum5`Vnlaw;*O+PqNY|Ov_Ce5_b@6oDv6_Vwt*@F{8x#-W zTR}no=?S=Zc@3ks_X7hR8)I7&4a7PM zGkspnF&B0fVpX;gUUp_iYPdj@>YvO@cT?f^&6?0nIj0S`$9BbRqaagZARFpi4P==s zoVUvG-4@F5KZo`!v*yEt;fFCcQbIpkaMf&I%GV7bM4X|cTV=Z5EW8k8#zEnaX5TNU z!vjHmzS3nC=GBib^tmRqE13fzO8En;mxuw7(T)LssnKVe!#0@PYF6}iLO>?cuL|y! zZ2r=@EI^(TzTPFQQEop%ck_2+Mi~7>#6T5{<%gTao?gkb2{T(gl&ipCD>Xp6OzAmj z_Fb2|ST)p5ziH@fFi(SjKQ@#iW#Z*+mg1Po;1*k|D&O#Wk}6oUY=-GkIb7SKNlwPt zTb35$SC!4O^}JEzZcFaqi3|>I`#uukYwq}wl$`GoYCYv$E^*Yy>qHy+$dRg=b~P!A zdZX>62T|N@8~*gaoFN}|{7DDNvE4o2p-;0+@pkev=`DPvPyYHS5dSL=#}>#iGt`n% z%`DZR2V7qa>DoTv{xU^<$pz&!LaimKtK1%2E2t3N+}!@ocJ49ca-#p?{`3aq!LFu1 z%Qy0k9v2bNb7Ow8dLyo8kYH6QX|kv>d-0~hJ)QT00Sab;SJG4D?tLS#k6O|b9JtZP z19TE)y%cGd&XRJ=UfBZz%*Ro3{(H1(;@Q&W`N$cx>nC*Yzgp~C~No`Bs4JUV%YKf8oGgoLqz|`POQnp78p9W z&3N;DjHK<-*xh>jsHyXM-O{*x$*J^v1u`9=`pX7H!c?uqe?H%_F20j|R%w@Nq7G6e^6Ps|)_sp_%)cDnm|a=5zscU5h`L9K5f(#!^Dhk*sD z_Xgl?Gk%KR&Z@1W4)}skOep-1p&qGh`yjkq#Vg4OHC1J1|8D-951%L`nT59N?gzes z$Zpx;JU!w!i5H}LZ^pW^bM1Q#6U%yBLk`+8723geUlPi)@GDs*_*{0MNx{e1tYPpb zoe|z{SB|zanUF`svE9o%L?ZW-HpT9(QY4M!rTMTF+*iUX zh{OD(`u={K=N35KDaOhl26aFqJn_-f-2P<(=<7_;UZ{~sRKe+Zpru#9_p#8>iW&#B zghFj%*^rZ;n`ErL_-t<~U2nOp0(ZcUDFhc7#X4|e+Msv4H5TG!kUwQ_LfVv?FDRmt z z+nyzUA&qMq_$*gTU|}q=&bk2<{ip%YJK0C^@N12NN>7C#k|H=gVRU{F zs^O!pbaLI7pUDTyuo`71$Xt7xk3BY+6}rt2XXkd(8ub@-85N$|EoXhw>RMm;ADNTWX7r;+MVww2;2D+N?iZH$3$w@+!) z`|87;~l?>j8tDDf#Fde*rna@ZxA8khUSlgq%B?&Bh9SFeCBD zVh8S&N{YJCsUuzuEtvBix@-$1zhK%QnA?7Nqw{V8_HY5W;CLXA17< zY#Rf#@~>|DaSLSrcxBiJe&ISs)n@jIbV~g@&nO|pOK~grF=55+KA94fd#3leqb=;! z(9wB_gGZ_C(rAf4{0ZFAUTT|$;Qa%9$ebM+_q)Y(q39di#0IF=uS#J%3z*Aq^i~!Z zbheRtm&c@4be$=9)yNtX^sUg7E>5vI6SQiVg|$1=>s`!l z51abl*&^pvvt__#jzcX5oWfK!l!X+QOwkw5Y1hPdx71KXHhM50c_+a}<57@HTy-e? zve2{62+a$AmqD4EO4?m(yzsWY;@lc@z!U@WtEZ}hj*0U$d(Uny3Qu*VSe^0jZMPM9 z7wmCtN5Vt{*7_SL4_n)&pF}M4)}GbeJu!2^R$eDMF;kOo*KS*_7|3c$DyG`Y@6p6I zw$*Lq6hRLj|1d!_9tkjii>mu{aiW#MEyz$<1ahE~Ni)AWa|+3IaKf9n%*soz?lhb& zM1}A8>e*(GES1-8&4e!TRzgs0&j+9J$qvH94f@cEJegmS#$`s#`e#G->_kiFKabm1 zM2K%R7A=M5Mr0%~+FJ6S7dWVHHoBxoWPHn-Xe^yK#_3u7vX%%wctwS+L~vF1sD+%t zt(7ytEOh>q=Zi71XXsw!BSnW5ab{mE(2!5bXU&jb?JYQGqj z$jkQW;>$+d#U)LxPF2>4=)s$ zABT_V@66&ooPjAXCei^EBsDhdD#9jfOg4li zfU(+Y-IeD{KfB5?E8i?_ff13RP63px)%KR^a&loYfb%if>oV7h?DjssSy~EK77-9a z!q~zOx0#8^sf5xoIKS*q!p+mX)@dRaWm`32=0wrZ-Bx8Rya3G2(lo)e@a#jE)j1 zC|Kw?3!suAFB<8dbW6HPQ#2y_BR5-Ug&{eR!lgU1KrttM8T1=Ya_dtuoN0ZCy73bz zzvnx)o5ucf^LeJ8=gHyN!{KirB*ao({&H=}(GAN>bO){WW#073y-9gqZmZA{IR+)4 zzy_C2WQlf)wpf237NS8?3C+zHE3JD6dW#T9NiC-o)6axe#F5a*Nt}_%Af^3s3ZT>5 zGh$3e{I<@J4fm{H*(kR`i|s6!Ip*sGpD(Wyo4~`G-2-u4--eV$g#6Ft_5%}CC4okJ40q^XilvsG|%7orvy5~ zVxm$bzT`;06Kv4%)DYY$;QA7$u>^9Mc#B)|n9@@@&RaUWl|=7bPrht8SX5NlHm)8* z6#5nyZE8*wGZ^xs4yI*R%)`X9RCHFN{)xloQ3*eZ(vc@^%(02pwdg%4b^KMA51%%6e@i6OijO z;w0EC!*l%ehIXO*8h8e3k?@$ew^~D=s+qhRG->-}EsHIOgV8Zw1>x54<5u#Xnu52) z2W6pH7w0j);a5oI>(scG7pz5>u|JUms`?HZ#=whkJ0KdLRGIKqkIlh;AICZV^UgE< z_5|OTulc-rn_F)M_{PP~$j^z(b9~6!!Rk9kl@Tbyl{~1YfU{l{l2rbt<|9-vh;>lm zjYXvQOELChIq-H>RFF9`Y$%nPImGiCM9w$k#6+oJfT0;PP5x}+^Y(V@$9Uc9Mak>k z0X9pOKN3G9tP)elCQgY~eCtjs3{9w{?+wrt6}ftN1sNaoheM=z`AdHVm~^S(B42ro zO8Xl+#`Y$f99?n58lZx^L-9dqO?0NOSFR48;y&;I=>0yVEU@eqY*yo;0c!ALw2(Tw zQ$`)VeaGJ#eV!n4ak)WK2wk}S?=BGhi%P^IpU|Y<6`t0<_UY!+1X#CS?XEDEF`>Js zUcgkCiEX$LTKm*Z{(t8WusXVJf4l7R==ar$>)eUN!w47V8wuUuz8(`W!}_SH(!NcS zsp1tgG-$;!e>3ZgT`gseLB>Yd`99`sZ|)+FaUF9phUs2>Z0rq-19ZL+WJ<7%rLKSq zjE0>J=WApHcs3VmLsMIB-rkM>+p7_{k7?LQF6@2xK6A&->ZhBjZu0oEjmb+YzO&w| zQ%~8e_?rW1ldfU=Ww}aB3Dho8f|HA3Cp;3Xo>!O2a#y9J(XsMj@XM#dQiar|(6Cd} zupx2Nl^N$xw#9)fiQRTQ)0)^4QdC-g_KF>*8pKVbs^64_raLE1fjgD)i&}t2|T`in&uk^6v zWhQ&K%+}!ZGU&T68?ox#1jkqXAgC7ZB>_KOd7%m5#&E0b3P(1Gxh|44j9Mh%VA`8DQ82=1R^gh0#ibnG0`dVUNcF68Vv#-LJ8(!bf!O0eIP*5sem`EWO;|Cx(U@ z{gJ9|=Ie6g zeJ#bEjZ~{Dm6mv{uNZHJL7pzUQvG|vbyK^tx(_`5Rr3O-n}+VZc-gBtCYheeJjN6)5Z{DwPV;;<5TQ=VNwLAc|21qHs$q z{M96%7P(?|zE1ADZ0^ za_e){_+rOwzbN=tDc^PF8bh)($;v(u#{T?&* z1{?E1{jAsu$!b)DnYnu zy&BOR@-|&&spSY;YA!XMJEDbgKLH4L>XFlDnpL5zs^q(rsjGA+@@XWP`vw^pRr9)v zN|Ay%`RlZUx7bW2d6LWWz_e^-S@WB^Tn?v5KmRdOe1xoz%?UD|y!o_j%ay?2sPdf?I?xgh%Hr6xtA z5o+4n00VN3yRBwXm3I!(TQJNm6(65UaTzYe-G$=j`^>VPSk!}Z1}ysmA@tNIUb{eD zV4lW`FLUu>C*AystW-|@*e4@(v|oq9@+G-D&w?diGZyLpt~@vfzjWG7rm4zjGS8Wo>|dX!8xd{JS)Kg|+-yE+G~O@-IGW73`MADZ z$jko~Y^$>@!NTJAgY0mZnBXVRKJUV51(h8d5A%?=%D428&@J&I-bS9^&zTduS|Ua@ z6f`@3m^v8Z3~uc?sVFO$j2CA|W}lEyRJ&V7Oq;k`apQcmEd5nCN@48v^K^lw6`*(n zbbmYFVYAPu7p$UifK_JP1k1C^oIF{@CZd+g+0vL=PxIrm?`%X@X6fG- z#hiJRTub*ZYbxe$0|ur1;9?C>nrm1!OD<1iKL9_Qjqj6*d2BTx>*|$EegFj7up*ExkM_=vw_!GgIxCXbBAhw%rqe01BpB|>0&?J zg@;JUp9;#g>2kh$&yJ8Qna^RwS3C4J2U@lWHflX^wVp;h!Bs$10Hswam96x;9xYwj z)HIu8jqvkmK|_ag@DDxnX~dI`&{?hw?;+i>m{#RpWl|EoZeRR=)ojTF=Y(-NNDHIH3!Sc<#-s-;K58tsT?hLj#~Q0^U-9v z3+1*If-;k&!?%Q^zk_pS7I^CrN&Lvbfx-Y~wjTe!C|xN3^0o;9j)ihBFC!}jCh3Gn53ZdQ zK^IyGM!RH~_qX!S&Eu&-SuG*jsilaL>V^&TH5;SMdTjI~Vo5g9!QexDWg!~-05I{@ z%-Ih!0*&!o06-q1Y>n}IKeXPtE5Uo?_=$ml_5*RHM z4LR3Ror-wjbcw@>9eW(V-Fm^eH2UEi(O8Nc^qfUn0kGmNL_WCiixM+jQ|BBld0oKO z4ekQ+t&+dr#rHsF;Q6v>yh)y%!|OB?nj?Tj2;7vr?&z0Tm4u4CL_@w+I+Pq&v~0K1 z@K!{CFkN^Ve?RVQ0T{zs1Xjxdd27zcA4>Ga0il+3P&jCz-h9p6nRlL>+|IWNnI7)r z7YM-M2@s(78%Uyd@lTh-uQL%jvS+ui*^bOS)>Z@hYu(ao*RN#`4)mSyLgGHFMhiK<#$9D??=exO3mU)OY?QP8Sg zMmV@IyC8L(TsC_r(F;`e9&5*vOX%}RVDg|N+Cs>|m6e8Y)I z_Vxj&Jy3c;!rvD3;$hH|F?J+ZkGPoT;8)7{00~lVAzD`z!m9q^p)NPZ!oUQXaX#elt~zHHC7({*I^p7t%hRwmVEjY4Sf>1cB3!RlyHnO^=Sp~P5%6>^Y2VZ5Q* zELjL`RnBYsGyD7U@)+ZJD6}&_$76N&%r~q!i0tn|?8i>#8%Jb?8~HhO_Qj8Ylf9S8 zZC`|=y$I69Jx@Nc?y~X=#LnCy$?>J<%(uy52~)BKDnhGIr_0%AvlDbszEa5Y4u9#S zXLU#5iSOa{w=Lmk8Wwv(hNda1kp0`t+uVeXtU?ZPCg#r-daR{iooRjm9h$jmpl@F@ zzW0>ZKkddgIpLO}7t5;k2M#6r-Cv(h+GwBy9;W5bBkaDc)C$c!AUrVVG#LC0_@Uxy zR5%jiZ<5|0Drg#mY+>kB;Knu%zQ1aERcE}Q7Jg1<(r;G=gIB3GdlDk=y*KBh(@0+F zz;w53@!jHKjT8jTRjSw=^EYT)z`$Qq6y2l0KLwN|I$jLxJMvxEQjG)HiZKaO?2Wvc zG{X~jzdC!u+!?}!g_C^Zdy#tek)@NJ>;HDA8%}b{Imtb9lMpzWEh7(AvIi;z0(>3o zn`8J>^P&qFbChD9_Iq=;7p9^pDH09;Z&9)g{NaTEh2!KTGXdw#$~Jymp=r`4vsF!Z z&E{VTiHgmjtjG#^hoE(MK5<{*4g{c*h%--=jWy0 z&kl<3cb8)p%nbz?+(ACvBn0WU+>(c;;vgtoDwE{H|LJcGchN zlVMLi*unQgSeuD=dz+Q`P{*GkSsUUNzG!B;CMI_xI() z=vABj{(}L!f1Y)`q~+9Aa@*)w@FC$;3LU^Lx7@ukHkEVmwZz0M)&NgW-E~79-L!Cz zd)UNiitYs6a?o^hYP|sf|IQ$sHJ+?FtCub`Lr(~Xyv!n-M4m!$tjp^Da`(66ZWBU5 zqmrKBxWWClMyh+|h7R0Fv4}KKbwGfm`nRS~C7#Y_21S)3NSpz-q-oyPNt2a)pp;?( zOc>_!fM>i0nJ`gmtTP%*s;OvfWe86HD*EN|?PDQk_bqQ-t2kf(Vqk_^GeNO7$?U(U zd~;2~(aa9;z6R`zjhsU?>m8gS)bq1hW%9>{2~x36ICK109J(Ik&mxyYk* z(VH)Gu`&6vsuf9w;H>g{S>(d<6klZAP0uKPUi6|82BCEjdb@wELO$`v zHiH4`Gnbych4=KK+pB!dwm z)NyqeE*zbfJpVSD?f<3Oq~?FntTD`}Qqcy9Mzt3WFMY#NaCArC_@5LL>Yo@6yWIB- z-Ov7nh|fnp_GG(|>Aybs?d8>$0a%8JANOM1n(PiC4 zyoTdo?u(ug7n_bsKNvPB}M(5#Ww0( zeC+=CGiZZ8|AZu~n=n0WTr~+C#MZV!qU|$Wr4*z8{GEhn=X@^CCNU;N!-QNEoDLg( z0~#`+T?i#$n{w|&F;xxiiRTf-bvk-cf2@v}wH9?T*wVT>DO0gq33uRKMg<^EqT z$N%L-_>a*wJO8quvj;pdT}9nRho3I}aX=`t`MGx05L~||6|zZOIXf*POh|PtI-IQl z*N;+Ee*y0?)(dX`|InoRyEW#>kydd?PU+7x=K5Zat1iymu@?;Xepz?-x4^RvjTUUN ze1zD1Tr+)wJtS1vvc#&>ulA}hKV65uP03uE3p_T;4J#YnS?+1_FwcBseeq-k;xkZMj&d2#+;b_!^3Aaa#gF^?5~Z{j+lfJ2 zB6KN3=!2swOT~iNPIPI5%cG10)F+!TRX9zVefPcH1>ERxwM?B?5Y zXI_qaJ7be@EVe?>X=(kj!vMW^DEXUnk{{IplBS7w%VCx!3KJggEPtn!*-~rKT+Sl# z#I?lJW>Dhdx{t+0E)4GO(70f@Hx(;}f@#%78eFF>qJPU+7Q5iA{gnmaKv9r`o5Sy_ z%R5j=x@ne?~Ni0xChxODlq<35`m4}q`g>{QhH~iNg?R-DM$KmR4)t9=R zg;GD*%R|8LX{&gUFrBpfr?qDIIzR=_>zPuw+_7sWjoKW*k#P@W^peuVKd=)r$)Fq? z{WYU4sLVfgS7yXu@_n=}x)~83bcuXc$$xBvK*u5Cji39wbEl!>&Pm3w_9lr~)(kAG zAv?O{k&eVo*o2_JZTzS@4fo)%kVC?}!GH52UqXzou$P!6lWfnsq!M`--DhP`Pyzy2 zh>T3F7GPd(kUgc4%601#wu;pC*0xK`d518<@A0))uT=|~Zkg`x*&|qw+nl#1Vr>a2 zYRvsCTby%oh_lu2AE3>>S*z%!y<5xH_>XHO&5t?m)xll=8B4Nd_&-3mXSVsL$M3*@ tu%+ln^#7*GzbO9y+rCYFy)t~I#NXm<37sJ-BYdU_(9+OVN2%IG{tvccs$2j7 diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 0662961ade..32c08d1d10 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -7,7 +7,7 @@ metadata: ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library - ms.date: 08/18/2017 + ms.date: 05/12/2022 ms.reviewer: author: aczechowski ms.author: aaroncz @@ -24,7 +24,7 @@ sections: - question: | Where can I download Windows 10 Enterprise? answer: | - If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). + If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you don't have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx). - question: | What are the system requirements? @@ -34,21 +34,25 @@ sections: - question: | What are the hardware requirements for Windows 10? answer: | - Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. For more information, see [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications). - question: | Can I evaluate Windows 10 Enterprise? answer: | - Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + Yes, a 90-day evaluation of Windows 10 Enterprise is available. The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + + > [!NOTE] + > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + - name: Drivers and compatibility questions: - question: | Where can I find drivers for my devices for Windows 10 Enterprise? answer: | - For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. - - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. - - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. + For many devices, drivers will be automatically installed in Windows 10 and there will be no need for further action. + - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. + - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) @@ -58,22 +62,28 @@ sections: - question: | Where can I find out if an application or device is compatible with Windows 10? answer: | - Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](/windows/windows-10/) on the Windows IT Center. + Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. - question: | - Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10? answer: | - [Windows Analytics Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics). + [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. - name: Administration and deployment questions: - question: | Which deployment tools support Windows 10? answer: | - Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. - - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. - - Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. - - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. + + - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using Configuration Manager, download a free 180-day trial. + + > [!NOTE] + > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + + - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment. + + - The [Windows ADK](/windows-hardware/get-started/adk-install) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. - question: | Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? @@ -83,9 +93,9 @@ sections: - question: | Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? answer: | - If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you're entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + For devices that are licensed under a volume license agreement for Windows that doesn't include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. - name: Managing updates questions: @@ -97,7 +107,7 @@ sections: - question: | How is servicing different with Windows as a service? answer: | - Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + Traditional Windows servicing has included several release types: major revisions (for example, Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. - question: | What are the servicing channels? @@ -107,13 +117,13 @@ sections: - question: | What tools can I use to manage Windows as a service updates? answer: | - There are many tools are available. You can choose from these: + There are many available tools: - Windows Update - Windows Update for Business - Windows Server Update Services - Microsoft Endpoint Configuration Manager - For more information on pros and cons for these tools, see [Servicing Tools](../update/waas-overview.md#servicing-tools). + For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools). - name: User experience questions: @@ -122,17 +132,17 @@ sections: answer: | For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). - question: | How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? answer: | - Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](/windows/windows-10/) resources. + Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. - question: | - How does Windows 10 help people work with applications and data across a variety of devices? + How does Windows 10 help people work with applications and data across various devices? answer: | The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: - Start menu is a launching point for access to apps. @@ -146,7 +156,7 @@ sections: Where can I ask a question about Windows 10? answer: | Use the following resources for additional information about Windows 10. - - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - - If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). + - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. + - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). + - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home). diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index e4f15a4aa4..80c6f19c7c 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,53 +1,48 @@ --- -title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager -description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager. +title: Steps to deploy Windows 10 with Configuration Manager +description: Learn how to deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, sccm +ms.technology: windows ms.localizationpriority: medium ms.reviewer: manager: dougeby ms.audience: itpro ms.author: aaroncz author: aczechowski -audience: itpro -ms.topic: article -ms.custom: seo-marvel-apr2020 +ms.topic: tutorial --- -# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager +# Deploy Windows 10 in a test lab using Configuration Manager -**Applies to** +*Applies to* -- Windows 10 +- Windows 10 -**Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: - -- [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) -- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) - -Please complete all steps in these guides before attempting the procedures in this guide. If you wish to skip the Windows 10 deployment procedures in the MDT guide and move directly to this guide, you must at least install MDT and the Windows ADK before performing procedures in this guide. All steps in the first guide are required before attempting the procedures in this guide. +> [!Important] +> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides: +> +> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) +> - [Deploy Windows 10 in a test lab using the Microsoft Deployment Toolkit](windows-10-poc-mdt.md) +> +> Complete all steps in these guides before you start the procedures in this guide. If you want to skip the Windows 10 deployment procedures in the MDT guide, and move directly to this guide, at least install MDT and the Windows ADK before starting this guide. All steps in the first guide are required before attempting the procedures in this guide. The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs): - **DC1**: A contoso.com domain controller, DNS server, and DHCP server. - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network. -- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes. +- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your network for testing purposes. ->This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. +This guide uses the Hyper-V server role to perform procedures. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work. ->Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**. +Multiple features and services are installed on SRV1 in this guide. This configuration isn't a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, select **Settings**, select **Memory**, and modify the value next to **Maximum RAM**. ## In this guide This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete. -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. +The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. - -|Topic|Description|Time| +|Procedure|Description|Time| |--- |--- |--- | |[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes| |[Install Microsoft Endpoint Configuration Manager](#install-microsoft-endpoint-configuration-manager)|Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.|45 minutes| @@ -55,9 +50,9 @@ Topics and procedures in this guide are summarized in the following table. An es |[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes| |[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes| |[Create a Windows 10 reference image](#create-a-windows-10-reference-image)|This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.|0-60 minutes| -|[Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)|Add a Windows 10 operating system image and distribute it.|10 minutes| +|[Add a Windows 10 OS image](#add-a-windows-10-operating-system-image)|Add a Windows 10 OS image and distribute it.|10 minutes| |[Create a task sequence](#create-a-task-sequence)|Create a Configuration Manager task sequence with MDT integration using the MDT wizard|15 minutes| -|[Finalize the operating system configuration](#finalize-the-operating-system-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes| +|[Finalize the OS configuration](#finalize-the-operating-system-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes| |[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)|Deploy Windows 10 using Configuration Manager deployment packages and task sequences.|60 minutes| |[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)|Replace a client computer with Windows 10 using Configuration Manager.|90 minutes| |[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)|Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT|90 minutes| @@ -70,10 +65,11 @@ Topics and procedures in this guide are summarized in the following table. An es Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ ``` - >If the request to add features fails, retry the installation by typing the command again. + > [!NOTE] + > If the request to add features fails, retry the installation by typing the command again. 2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso @@ -109,11 +105,11 @@ Topics and procedures in this guide are summarized in the following table. An es 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: ```powershell - New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound -Protocol TCP -LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound -Protocol UDP -LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound -Protocol TCP -LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound -Protocol TCP -LocalPort 135 -Action allow ``` 6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components. @@ -128,9 +124,14 @@ Topics and procedures in this guide are summarized in the following table. An es Stop-Process -Name Explorer ``` -2. Download [Microsoft Endpoint Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished. +1. Download **Microsoft Endpoint Configuration Manager** on SRV1. -3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: + > [!NOTE] + > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + +1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished. + +1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**: ```dos Get-Service Winmgmt @@ -157,57 +158,58 @@ Topics and procedures in this guide are summarized in the following table. An es You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**. - If the WMI service is not started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. + If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information. -4. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: +1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt: ```powershell cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe ``` -5. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: +1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1: ```dos adsiedit.msc ``` -6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. -8. Click **container** and then click **Next**. -9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. -10. Right-click **CN=system Management** and then click **Properties**. -11. On the **Security** tab, click **Add**, click **Object Types**, select **Computers**, and click **OK**. -12. Under **Enter the object names to select**, type **SRV1** and click **OK**. -13. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. -14. Click **Advanced**, click **SRV1 (CONTOSO\SRV1$)** and click **Edit**. -15. Next to **Applies to**, choose **This object and all descendant objects**, and then click **OK** three times. -16. Close the ADSI Edit console and switch back to SRV1. -17. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**. +1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**. +1. Select **container** and then select **Next**. +1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**. +1. Right-click **CN=system Management** and then select **Properties**. +1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**. +1. Under **Enter the object names to select**, type **SRV1** and select **OK**. +1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**. +1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**. +1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times. +1. Close the ADSI Edit console and switch back to SRV1. +1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe ``` -18. Provide the following in the Microsoft Endpoint Manager Setup Wizard: - - **Before You Begin**: Read the text and click *Next*. +1. Provide the following information in the Configuration Manager Setup Wizard: + - **Before You Begin**: Read the text and select *Next*. - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox. - - Click **Yes** in response to the popup window. + - Select **Yes** in response to the popup window. - **Product Key**: Choose **Install the evaluation edition of this Product**. - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox. - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page. - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**. - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**. - use default settings for all other options - - **Usage Data**: Read the text and click **Next**. + - **Usage Data**: Read the text and select **Next**. - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use). - - **Settings Summary**: Review settings and click **Next**. - - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. + - **Settings Summary**: Review settings and select **Next**. + - **Prerequisite Check**: No failures should be listed. Ignore any warnings and select **Begin Install**. - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. + > [!NOTE] + > There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. - Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. + Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete. -19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: +1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ```powershell Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 @@ -263,45 +265,45 @@ This section contains several procedures to support Zero Touch installation with ### Enable MDT ConfigMgr integration -1. On SRV1, click **Start**, type **configmgr**, and then click **Configure ConfigMgr Integration**. -2. Type **PS1** next to **Site code**, and then click **Next**. -3. Verify **The process completed successfully** is displayed, and then click **Finish**. +1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**. +2. Type `PS1` as the **Site code**, and then select **Next**. +3. Verify **The process completed successfully** is displayed, and then select **Finish**. ### Configure client settings -1. On SRV1, click **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then click **Pin to Taskbar**. -2. Click **Desktop**, and then launch the Configuration Manager console from the taskbar. -3. If the console notifies you that an update is available, click **OK**. It is not necessary to install updates to complete this lab. -4. In the console tree, open the **Administration** workspace (in the lower left corner) and click **Client Settings**. +1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**. +2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar. +3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab. +4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**. 5. In the display pane, double-click **Default Client Settings**. -6. Click **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then click **OK**. +6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**. ### Configure the network access account -1. In the Administration workspace, expand **Site Configuration** and click **Sites**. -2. On the **Home** ribbon at the top of the console window, click **Configure Site Components** and then click **Software Distribution**. +1. In the Administration workspace, expand **Site Configuration** and select **Sites**. +2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**. 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. -4. Click the yellow starburst and then click **New Account**. -5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice. +4. Select the yellow starburst and then select **New Account**. +5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**. +6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice. ### Configure a boundary group -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then click **Create Boundary**. -2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then click **Browse**. -3. Choose **Default-First-Site-Name** and then click **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then click **Create Boundary Group**. -5. Next to **Name**, type **PS1 Site Assignment and Content Location**, click **Add**, select the **Default-First-Site-Name** boundary and then click **OK**. -6. On the **References** tab in the **Create Boundary Group** window select the **Use this boundary group for site assignment** checkbox. -7. Click **Add**, select the **\\\SRV1.contoso.com** checkbox, and then click **OK** twice. +1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. +2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. +3. Choose **Default-First-Site-Name** and then select **OK** twice. +4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. +5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. +6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox. +7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice. ### Add the state migration point role -1. In the Administration workspace, expand **Site Configuration**, click **Sites**, and then in on the **Home** ribbon at the top of the console click **Add Site System Roles**. -2. In the Add site System Roles Wizard, click **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. -3. Click **Next**, click the yellow starburst, type **C:\MigData** for the **Storage folder**, and click **OK**. -4. Click **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. -5. Click **Next** twice and then click **Close**. +1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. +2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. +3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**. +4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. +5. Select **Next** twice and then select **Close**. ### Enable PXE on the distribution point @@ -312,28 +314,29 @@ This section contains several procedures to support Zero Touch installation with WDSUTIL /Set-Server /AnswerClients:None ``` -1. Determine the MAC address of the internal network adapter on SRV1. To determine this, type the following command at an elevated Windows PowerShell prompt on SRV1: +1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell (Get-NetAdapter "Ethernet").MacAddress ``` - > If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. + > [!NOTE] + > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**. -2. In the Microsoft Endpoint Manager console, in the **Administration** workspace, click **Distribution Points**. -3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. +2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**. +3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**. 4. On the PXE tab, select the following settings: - - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Enable PXE support for clients**. Select **Yes** in the popup that appears. - **Allow this distribution point to respond to incoming PXE requests** - - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Enable unknown computer support**. Select **OK** in the popup that appears. - **Require a password when computers use PXE** - **Password** and **Confirm password**: pass@word1 - - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Respond to PXE requests on specific network interfaces**: Select the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: ![Config Mgr PXE.](images/configmgr-pxe.png) -5. Click **OK**. +5. Select **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: ```powershell @@ -348,57 +351,60 @@ WDSUTIL /Set-Server /AnswerClients:None wdsnbp.com ``` - >If these files are not present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing "net share REMINST" at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. - >You can also type the following command at an elevated Windows PowerShell prompt to open the Configuration Manager Trace Log Tool. In the tool, click **File**, click **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: - - ```powershell - Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' - ``` - - The log file will updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically re-check that the files are present in the REMINST share location. Close the Configuration Manager Trace Log Tool when done. You will see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: - - `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"` - - Once the files are present in the REMINST share location, you can close the cmtrace tool. + > [!NOTE] + > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path. + > + > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red: + > + > ```powershell + > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' + > ``` + > + > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files: + > + > `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"` + > + > Once the files are present in the REMINST share location, you can close the CMTrace tool. ### Create a branding image file -1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a simple branding image. +1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image. 2. Type the following command at an elevated Windows PowerShell prompt: ```powershell Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp" ``` - >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. + > [!NOTE] + > You can open C:\Sources\OSD\Branding\contoso.bmp in Microsoft Paint to customize this image. ### Create a boot image for Configuration Manager -1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. -2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. - - The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later. -3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and click **Next**. -4. On the Options page, under **Platform** choose **x64**, and click **Next**. -5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and click **Next**. -6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then click **Next** twice. It will take a few minutes to generate the boot image. -7. Click **Finish**. -8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then click **Distribute Content**. -9. In the Distribute Content Wizard, click **Next**, click **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, click **OK**, click **Next** twice, and then click **Close**. +1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**. +2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**. + - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later. +3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**. +4. On the Options page, under **Platform** choose **x64**, and select **Next**. +5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**. +6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image. +7. Select **Finish**. +8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**. +9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**. 10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1: ```powershell Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' ``` - In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + In the trace tool, select **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: ```console STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. -13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab. +13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**. 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: ```console @@ -412,11 +418,12 @@ WDSUTIL /Set-Server /AnswerClients:None C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim ``` - >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. + > [!NOTE] + > The first two images (`*.wim` files) are default boot images. The third is the new boot image with DaRT. ### Create a Windows 10 reference image -If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. +If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-operating-system-image). If you've not yet created a Windows 10 reference image, complete the steps in this section. 1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command: @@ -424,68 +431,70 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso ``` -2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. +1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D. -3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**. +1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**. -4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. +1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. -5. Use the following settings for the New Deployment Share Wizard: +1. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTBuildLab** - Share name: **MDTBuildLab$** - Deployment share description: **MDT build lab** - - Options: click **Next** to accept the default - - Summary: click **Next** + - Options: Select **Next** to accept the default + - Summary: Select **Next** - Progress: settings will be applied - - Confirmation: click **Finish** + - Confirmation: Select **Finish** -6. Expand the **Deployment Shares** node, and then expand **MDT build lab**. +1. Expand the **Deployment Shares** node, and then expand **MDT build lab**. -7. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**. +1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**. -7. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**. +1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**. -8. Use the following settings for the Import Operating System Wizard: +1. Use the following settings for the Import Operating System Wizard: - OS Type: **Full set of source files** - Source: **D:\\** - Destination: **W10Ent_x64** - - Summary: click **Next** - - Confirmation: click **Finish** + - Summary: Select **Next** + - Confirmation: Select **Finish** -9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. +1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications). -10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: +1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001** - Task sequence name: **Windows 10 Enterprise x64 Default Image** - Task sequence comments: **Reference Build** - Template: **Standard Client Task Sequence** - - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** + - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim** - Specify Product Key: **Do not specify a product key at this time** - Full Name: **Contoso** - Organization: **Contoso** - Internet Explorer home page: **http://www.contoso.com** - Admin Password: **Do not specify an Administrator password at this time** - - Summary: click **Next** - - Confirmation: click **Finish** + - Summary: Select **Next** + - Confirmation: Select **Finish** -11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. +1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step. -12. Click the **Task Sequence** tab. Under **State Restore** click **Tattoo** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo. +1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo. -13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again. +1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again. -14. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**. +1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**. -15. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**. +1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**. -16. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. - >Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications. +1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox. -17. Click **OK** to complete editing the task sequence. + > [!NOTE] + > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications. -18. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and click **Properties**, and then click the **Rules** tab. +1. Select **OK** to complete editing the task sequence. -19. Replace the default rules with the following text: +1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab. + +1. Replace the default rules with the following text: ```ini [Settings] @@ -520,7 +529,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi SkipFinalSummary=NO ``` -20. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: +1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file: ```ini [Settings] @@ -534,43 +543,44 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi SkipBDDWelcome=YES ``` -21. Click **OK** to complete the configuration of the deployment share. +1. Select **OK** to complete the configuration of the deployment share. -22. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**. +1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**. -23. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, click **Finish**. +1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**. -24. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). +1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI). - >Hint: Top copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**. + > [!TIP] + > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**. -25. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: +1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands: ```powershell - New-VM –Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB + New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20 Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso Start-VM REFW10X64-001 vmconnect localhost REFW10X64-001 ``` -26. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**. +1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**. -27. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated. +1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated. - Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures: + Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures: - - Install the Windows 10 Enterprise operating system. + - Install the Windows 10 Enterprise OS. - Install added applications, roles, and features. - - Update the operating system using Windows Update (or WSUS if optionally specified). + - Update the OS using Windows Update (or WSUS if optionally specified). - Stage Windows PE on the local disk. - Run System Preparation (Sysprep) and reboot into Windows PE. - Capture the installation to a Windows Imaging (WIM) file. - Turn off the virtual machine. - This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. + This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. -### Add a Windows 10 operating system image +### Add a Windows 10 OS image 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: @@ -579,37 +589,39 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64" ``` -2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then click **Add Operating System Image**. +2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**. -3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and click **Next**. +3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**. -4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, click **Next** twice, and then click **Close**. +4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**. -5. Distribute the operating system image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** operating system image and then clicking **Distribute Content**. +5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**. -6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. +6. In the Distribute Content Wizard, select **Next**, select **Add**, select **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**. -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar. (Make sure there's no space at the end of the location or you'll get an error.) Select **Windows 10 Enterprise x64** and monitor the status of content distribution until it's successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. - >If content distribution is not successful, verify that sufficient disk space is available. + > [!NOTE] + > If content distribution isn't successful, verify that sufficient disk space is available. ### Create a task sequence ->Complete this section slowly. There are a large number of similar settings from which to choose. +> [!TIP] +> Complete this section slowly. There are a large number of similar settings from which to choose. -1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. +1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. -2. On the Choose Template page, select the **Client Task Sequence** template and click **Next**. +2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**. -3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. +3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**. 4. On the Details page, enter the following settings: - Join a domain: **contoso.com** - - Account: click **Set** + - Account: Select **Set** - User name: **contoso\CM_JD** - Password: **pass@word1** - Confirm password: **pass@word1** - - Click **OK** + - Select **OK** - Windows Settings - User name: **Contoso** - Organization name: **Contoso** @@ -617,43 +629,43 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Administrator Account: **Enable the account and specify the local administrator password** - Password: **pass@word1** - Confirm password: **pass@word1** - - Click **Next** + - Select **Next** -5. On the Capture Settings page, accept the default settings and click **Next**. +5. On the Capture Settings page, accept the default settings and select **Next**. -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**. -8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. +8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**. -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**. -10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. +10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and select **Next**. -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, select **OK**, and then select **Next**. -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**. -13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. +13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**. -14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and click **Next**. +14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**. -15. On the Sysprep Package page, click **Next** twice. +15. On the Sysprep Package page, select **Next** twice. -16. On the Confirmation page, click **Finish**. +16. On the Confirmation page, select **Finish**. ### Edit the task sequence -1. In the Configuration Manager console, in the **Software Library** workspace, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Edit**. +1. In the Configuration Manager console, in the **Software Library** workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Edit**. -2. Scroll down to the **Install** group and click the **Set Variable for Drive Letter** action. +2. Scroll down to the **Install** group and select the **Set Variable for Drive Letter** action. -3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then click **Apply**. +3. Change the Value under **OSDPreserveDriveLetter** from **False** to **True**, and then select **Apply**. -4. In the **State Restore** group, click the **Set Status 5** action, click **Add** in the upper left corner, point to **User State**, and click **Request State Store**. This adds a new action immediately after **Set Status 5**. +4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**. -5. Configure the **Request State Store** action that was just added with the following settings: +5. Configure this **Request State Store** step with the following settings: - Request state storage location to: **Restore state from another computer** - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox. - Options tab: Select the **Continue on error** checkbox. @@ -661,38 +673,39 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Variable: **USMTLOCAL** - Condition: **not equals** - Value: **True** - - Click **OK** - - Click **Apply** + - Select **OK** + - Select **Apply** -6. In the **State Restore** group, click **Restore User State**, click **Add**, point to **User State**, and click **Release State Store**. +6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**. -7. Configure the **Release State Store** action that was just added with the following settings: +7. Configure this **Release State Store** step with the following settings: - Options tab: Select the **Continue on error** checkbox. - Add Condition: **Task Sequence Variable**: - Variable: **USMTLOCAL** - Condition: **not equals** - Value: **True** - - Click **OK** - - Click **OK** + - Select **OK** + - Select **OK** -### Finalize the operating system configuration +### Finalize the OS configuration ->If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. +> [!NOTE] +> If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. -1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then click **New Deployment Share**. +1. In the MDT deployment workbench on SRV1, right-click **Deployment Shares** and then select **New Deployment Share**. 2. Use the following settings for the New Deployment Share Wizard: - Deployment share path: **C:\MDTProduction** - Share name: **MDTProduction$** - Deployment share description: **MDT Production** - - Options: click **Next** to accept the default - - Summary: click **Next** + - Options: Select **Next** to accept the default + - Summary: Select **Next** - Progress: settings will be applied - - Confirmation: click **Finish** + - Confirmation: Select **Finish** -3. Right-click the **MDT Production** deployment share, and click **Properties**. +3. Right-click the **MDT Production** deployment share, and select **Properties**. -4. Click the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**. +4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**. 5. Type the following command at an elevated Windows PowerShell prompt on SRV1: @@ -718,42 +731,43 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi ApplyGPOPack=NO ``` - >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + > [!NOTE] + > To migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + > + > ```ini + > OSDMigrateAdditionalCaptureOptions=/all + > ``` - ```ini - OSDMigrateAdditionalCaptureOptions=/all - ``` +7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears. -7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. +8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**. -8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. +9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**. -9. In the Distribute Content Wizard, click **Next** twice, click **Add**, click **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. - -10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. +10. Enter **\Monitoring\Overview\Distribution Status\Content Status\Windows 10 Enterprise x64** on the location bar, double-click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it's successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. ### Create a deployment for the task sequence -1. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Deploy**. +1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**. -2. On the General page, next to **Collection**, click **Browse**, select the **All Unknown Computers** collection, click **OK**, and then click **Next**. +2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**. 3. On the Deployment Settings page, use the following settings: - Purpose: **Available** - Make available to the following: **Only media and PXE** - - Click **Next**. -4. Click **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. + - Select **Next**. +4. Select **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages. -5. Click **Close**. +5. Select **Close**. ## Deploy Windows 10 using PXE and Configuration Manager -In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. +In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings. 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell - New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 + New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 Start-VM PC4 vmconnect localhost PC4 @@ -761,28 +775,28 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce 2. Press ENTER when prompted to start the network boot service. -3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. +3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then select **Next**. -4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. +4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted. - X:\smstslog\smsts.log after disks are formatted. - - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Manager client is installed. - - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Manager client is installed. + - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Configuration Manager client is installed. + - C:\Windows\ccm\logs\Smstslog\smsts.log after the Configuration Manager client is installed. - C:\Windows\ccm\logs\smsts.log when the task sequence is complete. Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. -7. In the explorer window, click **Tools** and then click **Map Network Drive**. +7. In the explorer window, select **Tools** and then select **Map Network Drive**. -8. Do not map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. +8. Don't map a network drive at this time. If you need to save the smsts.log file, you can use this method to save the file to a location on SRV1. 9. Close the Map Network Drive window, the Explorer window, and the command prompt. -10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Click **Next** to continue with the deployment. +10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment. 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will: - Install Windows 10 @@ -792,7 +806,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. -13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. +13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image. 14. Shut down the PC4 VM. @@ -801,80 +815,88 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce ## Replace a client with Windows 10 using Configuration Manager ->Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter. +> [!NOTE] +> Before you start this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It's not required to delete the stale entries, this action is only done to remove clutter. ![contoso.com\Computers.](images/poc-computers.png) -In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. +In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to perform this procedure before performing the refresh procedure. After you refresh PC1, the OS will be new. The next (replace) procedure doesn't install a new OS on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer. ### Create a replace task sequence -1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then click **Create MDT Task Sequence**. +1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**. -2. On the Choose Template page, select **Client Replace Task Sequence** and click **Next**. +2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**. -3. On the General page, type the following: +3. On the General page, type the following information: - Task sequence name: **Replace Task Sequence** - Task sequence comments: **USMT backup only** -4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. -6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. -7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. -8. On the Summary page, review the details and then click **Next**. -9. On the Confirmation page, click **Finish**. +4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue. +6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue. +7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue. +8. On the Summary page, review the details and then select **Next**. +9. On the Confirmation page, select **Finish**. ->If an error is displayed at this stage it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. +> [!NOTE] +> If an error is displayed at this stage, it can be caused by a corrupt MDT integration. To repair it, close the Configuration Manager console, remove MDT integration, and then restore MDT integration. ### Deploy PC4 Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell -New-VM –Name "PC4" –NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 +New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC4" -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 2048MB -Buffer 20 Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF ``` ->Hyper-V enables us to define a static MAC address on PC4. In a real-world scenario you must determine the MAC address of the new computer. +> [!NOTE] +> Hyper-V lets you define a static MAC address on PC4. In a real-world scenario, you must determine the MAC address of the new computer. ### Install the Configuration Manager client on PC1 1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md). -2. If a PC1 checkpoint has not already been saved, then save a checkpoint by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -3. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and click on **Discovery Methods**. -4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. -5. Click the yellow starburst, click **Browse**, select **contoso\Computers**, and then click **OK** three times. -6. When a popup dialog box asks if you want to run full discovery, click **Yes**. -7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): +1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. +1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. +1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. +1. When a popup dialog box asks if you want to run full discovery, select **Yes**. +1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example): ->If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console. + > [!TIP] + > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console. -The **Client** column indicates that the Configuration Manager client is not currently installed. This procedure will be carried out next. + The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next. -8. Sign in to PC1 using the contoso\administrator account and type the following at an elevated command prompt to remove any pre-existing client configuration, if it exists. Note: this command requires an elevated command prompt not an elevated Windows PowerShell prompt: +1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists. + + > [!Note] + > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt. ```dos sc stop ccmsetup "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall ``` - >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client). + > [!NOTE] + > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client). -9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type: +1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type: ```dos net stop wuauserv net stop BITS ``` - Verify that both services were stopped successfully, then type the following at an elevated command prompt: + Verify that both services were stopped successfully, then type the following command at an elevated command prompt: ```dos del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" @@ -882,131 +904,132 @@ The **Client** column indicates that the Configuration Manager client is not cur bitsadmin /list /allusers ``` - Verify that BITSAdmin displays 0 jobs. + Verify that BITSAdmin displays zero jobs. -10. To install the Configuration Manager client as a standalone process, type the following at an elevated command prompt: +1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt: ```dos "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1 ``` -11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. -12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: +1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here. +1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress: ```powershell Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait ``` - Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file and then press **CTRL-C** to break out of the Get-Content operation (if you are viewing the log in Windows PowerShell the last line will be wrapped). A return code of 0 indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. + Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site. -13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: +1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt: ```dos control smscfgrc ``` -14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example: +1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example: ![site.](images/configmgr-site.png) - If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated. + If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the it can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry. -15. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. +1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**. -16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: +1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example: ![client.](images/configmgr-client.png) - >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**. + > [!NOTE] + > It might take several minutes for the client to fully register with the site and complete a client check. When it's complete you will see a green check mark over the client icon as shown above. To refresh the client, select it and then press **F5** or right-click the client and select **Refresh**. ### Create a device collection and deployment -1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: - General > Name: **Install Windows 10 Enterprise x64** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** - - The **Create Direct Membership Rule Wizard** opens, click **Next** + - The **Create Direct Membership Rule Wizard** opens, select **Next** - Search for Resources > Resource class: **System Resource** - Search for Resources > Attribute name: **Name** - Search for Resources > Value: **%** - Select Resources > Value: Select the computername associated with the PC1 VM - - Click **Next** twice and then click **Close** in both windows (Next, Next, Close, then Next, Next, Close) + - Select **Next** twice and then select **Close** in both windows (Next, Next, Close, then Next, Next, Close) 3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed. -4. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64** and then click **Deploy**. +4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**. 5. Use the following settings in the Deploy Software wizard: - - General > Collection: Click Browse and select **Install Windows 10 Enterprise x64** + - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64** - Deployment Settings > Purpose: **Available** - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE** - - Scheduling > Click **Next** - - User Experience > Click **Next** - - Alerts > Click **Next** - - Distribution Points > Click **Next** - - Summary > Click **Next** - - Verify that the wizard completed successfully and then click **Close** + - Scheduling > select **Next** + - User Experience > select **Next** + - Alerts > select **Next** + - Distribution Points > select **Next** + - Summary > select **Next** + - Verify that the wizard completed successfully and then select **Close** ### Associate PC4 with PC1 -1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then click **Import Computer Information**. +1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**. -2. On the Select Source page, choose **Import single computer** and click **Next**. +2. On the Select Source page, choose **Import single computer** and select **Next**. 3. On the Single Computer page, use the following settings: - Computer Name: **PC4** - MAC Address: **00:15:5D:83:26:FF** - - Source Computer: \ + - Source Computer: \ -4. Click **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then click the yellow starburst next to **User accounts to migrate**. +4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**. -5. Click **Browse** and then under Enter the object name to select type **user1** and click OK twice. +5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice. -6. Click the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. +6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account. -7. Click **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, click **Browse**, choose **Install Windows 10 Enterprise x64**, click **OK**, click **Next** twice, and then click **Close**. +7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**. -8. In the Assets and Compliance workspace, click **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. +8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**. -9. Right-click the association in the display pane and then click **Specify User Accounts**. You can add or remove user account here. Click **OK**. +9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**. -10. Right-click the association in the display pane and then click **View Recovery Information**. Note that a recovery key has been assigned, but a user state store location has not. Click **Close**. +10. Right-click the association in the display pane and then select **View Recovery Information**. You'll see that a recovery key has been assigned, but a user state store location hasn't. Select **Close**. -11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example: +11. Select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but don't proceed until PC4 is available. See the following example: ![collection.](images/configmgr-collection.png) ### Create a device collection for PC1 -1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then click **Create Device Collection**. +1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**. 2. Use the following settings in the **Create Device Collection Wizard**: - General > Name: **USMT Backup (Replace)** - General > Limiting collection: **All Systems** - Membership Rules > Add Rule: **Direct Rule** - - The **Create Direct Membership Rule Wizard** opens, click **Next** + - The **Create Direct Membership Rule Wizard** opens, select **Next** - Search for Resources > Resource class: **System Resource** - Search for Resources > Attribute name: **Name** - Search for Resources > Value: **%** - Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example). - - Click **Next** twice and then click **Close** in both windows. + - Select **Next** twice and then select **Close** in both windows. -3. Click **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Do not proceed until this name is displayed. +3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed. ### Create a new deployment -In the Configuration Manager console, in the Software Library workspace under Operating Systems, click **Task Sequences**, right-click **Replace Task Sequence**, click **Deploy**, and use the following settings: +In the Configuration Manager console, in the **Software Library** workspace, under **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, select **Deploy**, and use the following settings: - General > Collection: **USMT Backup (Replace)** - Deployment Settings > Purpose: **Available** - Deployment Settings > Make available to the following: **Only Configuration Manager Clients** -- Scheduling: Click **Next** -- User Experience: Click **Next** -- Alerts: Click **Next** -- Distribution Points: Click **Next** -- Click **Next** and then click **Close**. +- Scheduling: Select **Next** +- User Experience: Select **Next** +- Alerts: Select **Next** +- Distribution Points: Select **Next** +- Select **Next** and then select **Close**. ### Verify the backup @@ -1016,21 +1039,22 @@ In the Configuration Manager console, in the Software Library workspace under Op control smscfgrc ``` -2. On the **Actions** tab, click **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, click **OK**, and then click **OK** again. This is one method that can be used to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure. -3. Type the following at an elevated command prompt to open the Software Center: +3. Type the following command at an elevated command prompt to open the Software Center: ```dos C:\Windows\CCM\SCClient.exe ``` -4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example: +4. In Software Center, select **Available Software**, and then select the **Replace Task Sequence** checkbox. See the following example: ![software.](images/configmgr-software-cntr.png) - >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. + > [!NOTE] + > If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available. -5. Click **INSTALL SELECTED** and then click **INSTALL OPERATING SYSTEM**. +5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**. 6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup. ### Deploy the new computer @@ -1042,10 +1066,13 @@ In the Configuration Manager console, in the Software Library workspace under Op vmconnect localhost PC4 ``` -1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**. +1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**. 1. Choose the **Windows 10 Enterprise X64** image. -1. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. -1. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. +1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. +1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host. + + > [!Note] + > The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs. To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: @@ -1059,23 +1086,19 @@ In the Configuration Manager console, in the Software Library workspace under Op ### Initiate the computer refresh -1. On SRV1, in the Assets and Compliance workspace, click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. -2. Right-click the computer account for PC1, point to **Client Notification**, click **Download Computer Policy**, and click **OK** in the popup dialog box. -3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**. -4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example: +1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. +2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box. +3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**. +4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example: ![installOS.](images/configmgr-install-os.png) - The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example: + The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example: ![asset.](images/configmgr-asset.png) You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**. - When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system. + When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise OS. - ![post-refresh.](images/configmgr-post-refresh.png) - -## Related Topics - -[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) + ![post-refresh.](images/configmgr-post-refresh.png) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 05c3aa3b4d..70f2060fee 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -1,66 +1,59 @@ --- title: Configure a test lab to deploy Windows 10 -description: In this article, you will learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment. -ms.custom: seo-marvel-apr2020 +description: Learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment. ms.reviewer: manager: dougeby -ms.audience: itpro ms.author: aaroncz author: aczechowski ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm +ms.technology: windows ms.localizationpriority: medium -audience: itpro -ms.topic: article +ms.topic: tutorial +ms.date: 05/12/2022 --- # Step by step guide: Configure a test lab to deploy Windows 10 -**Applies to** +*Applies to* -- Windows 10 +- Windows 10 -This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. +This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. > [!NOTE] -> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab). +> Microsoft also offers a pre-configured lab using an evaluation version of Configuration Manager. For more information, see [Windows and Office deployment and management lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab). This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: -- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) +- [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md) -The PoC deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that are not familiar with these tools, and those that are interested in setting up a proof of concept environment. The instructions in this guide should not be used in a production setting, and are not meant to replace the instructions found in production deployment guidance. +The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance. -Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. +Approximately 3 hours are required to configure the PoC environment. You'll need a Hyper-V capable computer running Windows 8.1 or later with at least 16 GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. +Windows PowerShell commands are provided to set up the PoC environment quickly. You don't need to be an expert in Windows PowerShell to complete the steps in the guide, however you'll need to customize some commands to your environment. > [!TIP] > Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. -> -> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with `cmd /c`. You can also escape special characters in the command using the back-tick character (\`). In most cases, the simplest action is to type `cmd` and enter a command prompt, type the necessary commands, then type `exit` to return to Windows PowerShell. -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. +Hyper-V is installed, configured and used extensively in this guide. If you aren't familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. ## In this guide -This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, your virtual switch settings must be modified to match those used in this guide, or the steps in this guide can be modified to use your existing Hyper-V settings. +This guide contains instructions for three general procedures: Install Hyper-V, configure Hyper-V, and configure VMs. If you already have a computer running Hyper-V, you can use this computer and skip the first procedure. In this case, modify your virtual switch settings to match the settings used in this guide. Alternatively, you can modify the steps in this guide to use your existing Hyper-V settings. -After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. +After completing the instructions in this guide, you'll have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. +The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. -
- -|Topic|Description|Time| +|Procedure|Description|Time| |--- |--- |--- | |[Hardware and software requirements](#hardware-and-software-requirements)|Prerequisites to complete this guide.|Informational| |[Lab setup](#lab-setup)|A description and diagram of the PoC environment.|Informational| -|[Configure the PoC environment](#configure-the-poc-environment)|Parent topic for procedures.|Informational| +|[Configure the PoC environment](#configure-the-poc-environment)|Parent section for procedures.|Informational| |[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)|Verify that installation of Hyper-V is supported, and install the Hyper-V server role.|10 minutes| |[Download VHD and ISO files](#download-vhd-and-iso-files)|Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.|30 minutes| |[Convert PC to VM](#convert-pc-to-vm)|Convert a physical computer on your network to a VM hosted in Hyper-V.|30 minutes| @@ -75,31 +68,23 @@ Topics and procedures in this guide are summarized in the following table. An es One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. -- **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. -- **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. +- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. +- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2. Hardware requirements are displayed below: -
- -||Computer 1 (required)|Computer 2 (recommended)| +| |Computer 1 (required)|Computer 2 (recommended)| |--- |--- |--- | |**Role**|Hyper-V host|Client computer| -|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.| -|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016*|Windows 7 or a later| +|**Description**|This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module.|This computer is a Windows 8.1 client on your network that will be converted to a VM to demonstrate the upgrade process.| +|**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016|Windows 8.1 or a later| |**Edition**|Enterprise, Professional, or Education|Any| -|**Architecture**|64-bit|Any

*Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.*| -|**RAM**|8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16 GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any| -|**Disk**|200 GB available hard disk space, any format.|Any size, MBR formatted.| +|**Architecture**|64-bit|Any

Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.| +|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any| +|**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.| |**CPU**|SLAT-Capable CPU|Any| |**Network**|Internet connection|Any| -\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. - -The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. - - - ## Lab setup The lab architecture is summarized in the following diagram: @@ -107,13 +92,13 @@ The lab architecture is summarized in the following diagram: ![PoC diagram.](images/poc.png) - Computer 1 is configured to host four VMs on a private, PoC network. - - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. + - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. + - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. > [!NOTE] > If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide. -The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if required. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that is not directly connected to the corporate network. This mitigates the risk of clients on the corporate network receiving DHCP leases from the PoC network (i.e. "rogue" DHCP), and limits NETBIOS service broadcasts. +The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if necessary. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that isn't directly connected to the network. This action mitigates the risk of clients on the network receiving DHCP leases from the PoC network. In other words, a "rogue" DHCP server. It also limits NETBIOS service broadcasts. ## Configure the PoC environment @@ -122,16 +107,16 @@ The lab architecture is summarized in the following diagram: ### Procedures in this section -[Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-[Download VHD and ISO files](#download-vhd-and-iso-files)
-[Convert PC to VM](#convert-pc-to-vm)
-[Resize VHD](#resize-vhd)
-[Configure Hyper-V](#configure-hyper-v)
-[Configure VMs](#configure-vms)
+- [Verify support and install Hyper-V](#verify-support-and-install-hyper-v) +- [Download VHD and ISO files](#download-vhd-and-iso-files) +- [Convert PC to VM](#convert-pc-to-vm) +- [Resize VHD](#resize-vhd) +- [Configure Hyper-V](#configure-hyper-v) +- [Configure VMs](#configure-vms) ### Verify support and install Hyper-V -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. +Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: @@ -147,7 +132,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon In this example, the computer supports SLAT and Hyper-V. - If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + If one or more requirements are evaluated as **No**, then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example: @@ -169,19 +154,19 @@ Starting with Windows 8, the host computer’s microprocessor must support secon > [!NOTE] > A 64-bit operating system is required to run Hyper-V. -2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: +2. The Hyper-V feature isn't installed by default. To install it, open an elevated Windows PowerShell window and type the following command: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All ``` - This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an extra command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: ```powershell Install-WindowsFeature -Name Hyper-V -IncludeManagementTools ``` - When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. + When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: @@ -189,37 +174,41 @@ Starting with Windows 8, the host computer’s microprocessor must support secon ![hyper-v.](images/svr_mgr2.png) - If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**. ### Download VHD and ISO files -When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account. +When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. +1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory. + + > [!NOTE] + > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + > + > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations. > [!IMPORTANT] > This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. - After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - - :::image type="content" alt-text="VHD" source="images/download_vhd.png"::: - -2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. +2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. Do this action to make the filename simple to recognize and type. 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. +4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host. - During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. + > [!NOTE] + > The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). + + You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version. > [!NOTE] - > The evaluation version of Windows 10 does not support in-place upgrade**. + > The evaluation version of Windows 10 doesn't support in-place upgrade**. -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. This step is so that the filename is simple to type and recognize. - After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. + After completing these steps, you'll have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - The following displays the procedures described in this section, both before and after downloading files: + The following example displays the procedures described in this section, both before and after downloading files: ```console C:>mkdir VHD @@ -237,17 +226,17 @@ When you have completed installation of Hyper-V on the host computer, begin conf ### Convert PC to VM > [!IMPORTANT] -> Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. +> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network. -If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM: +If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM: -1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page. +1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page. 2. Under **Virtual machine**, choose **IE11 on Win7**. -3. Under **Select platform** choose **HyperV (Windows)**. -4. Click **Download .zip**. The download is 3.31 GB. +3. Under **Select platform**, choose **HyperV (Windows)**. +4. Select **Download .zip**. The download is 3.31 GB. 5. Extract the zip file. Three directories are created. 6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory. -7. Rename **IE11 - Win7.vhd** to **w7.vhd** (do not rename the file to w7.vhdx). +7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx). 8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**. If you have a PC available to convert to VM (computer 2): @@ -255,7 +244,7 @@ If you have a PC available to convert to VM (computer 2): 1. Sign in on computer 2 using an account with Administrator privileges. > [!IMPORTANT] - > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network. + > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network. 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required. 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). @@ -278,7 +267,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type ``` -If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: +If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT: ```powershell PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type @@ -345,12 +334,11 @@ The following tables display the Hyper-V VM generation to choose based on the OS > [!NOTE] > ->- If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). -> ->- If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm). -> ->- If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm). - +> - If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk). +> +> - If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the `mountvol` command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm). +> +> - If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm). #### Prepare a generation 1 VM @@ -361,16 +349,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. +3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example. > [!IMPORTANT] - > You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). + > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). -4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example: +4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example: ![disk2vhd 1.](images/disk2vhd.png) - Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than those being converted, such as a flash drive. + Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than the disks being converted, such as a flash drive. 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: @@ -398,16 +386,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s). 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected. +4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected. > [!IMPORTANT] > You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired. -5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example: +5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and select **Create**. See the following example: ![disk2vhd 2.](images/disk2vhd-gen2.png) - Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive. 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: @@ -426,16 +414,16 @@ The following tables display the Hyper-V VM generation to choose based on the OS You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive. 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. -3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. +3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. > [!NOTE] - > The system volume is not copied in this scenario, it will be added later. + > The system volume isn't copied in this scenario, it will be added later. -4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example: +4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and select **Create**. See the following example: ![disk2vhd 3.](images/disk2vhd4.png) - Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive. + Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive. 5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory: @@ -447,14 +435,12 @@ The following tables display the Hyper-V VM generation to choose based on the OS w7.VHD ``` - In its current state, the w7.VHD file is not bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. + In its current state, the w7.VHD file isn't bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section. -### Resize VHD - -Enhanced session mode +### Enhanced session mode > [!IMPORTANT] -> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. +> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: @@ -462,11 +448,11 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo Set-VMhost -EnableEnhancedSessionMode $TRUE ``` -If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. +If enhanced session mode wasn't previously enabled, close any existing virtual machine connections and reopen them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -

+### Resize VHD -The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. +The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 100 GB to support installing imaging tools and storing OS images. 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: @@ -487,15 +473,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external": - If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options: + If the Hyper-V host already has an external virtual switch bound to a physical NIC, don't attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options: **A**: Remove the existing external virtual switch, then add the poc-external switch **B**: Rename the existing external switch to "poc-external" - **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
+ **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch - If you choose B) or C), then do not run the second command below. + If you choose B) or C), then don't run the second command below. ```powershell New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network" @@ -505,7 +491,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to > [!NOTE] > The second command above will temporarily interrupt network connectivity on the Hyper-V host. - Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" + Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this action by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet (`$_.Status -eq "Up" -and !$_.Virtual`). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation won't work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the internet is named "Ethernet 2" then type the following command to create an external virtual switch: `New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"` 2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: @@ -513,9 +499,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to (Get-VMHostNumaNode).MemoryAvailable ``` - This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer is not also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available than this, try closing applications to free up more memory. + This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer isn't also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available, try closing applications to free up more memory. -3. Determine the available memory for VMs by dividing the available RAM by 4. For example: +3. Determine the available memory for VMs by dividing the available RAM by 4. For example: ```powershell (Get-VMHostNumaNode).MemoryAvailable/4 @@ -566,7 +552,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to > [!NOTE] > The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed. - First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands: + First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Don't forget to include a pipe (`|`) at the end of the first five commands: ```powershell New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB | @@ -592,10 +578,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to The VM will automatically boot into Windows Setup. In the PC1 window: - 1. Click **Next**. - 2. Click **Repair your computer**. - 3. Click **Troubleshoot**. - 4. Click **Command Prompt**. + 1. Select **Next**. + 2. Select **Repair your computer**. + 3. Select **Troubleshoot**. + 4. Select **Command Prompt**. 5. Type the following command to save an image of the OS drive: ```console @@ -626,8 +612,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to exit ``` - 8. Click **Continue** and verify the VM boots successfully (do not boot from DVD). - 9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**. + 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD. + 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**. 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1: ```powershell @@ -644,9 +630,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to vmconnect localhost DC1 ``` -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. -4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. +2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**. +3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM. 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: ```powershell @@ -699,9 +685,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force ``` - The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we have not configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this by using the command: Get-DhcpServerv4Lease -ScopeId 192.168.0.0. + The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we haven't configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this configuration by using the command: `Get-DhcpServerv4Lease -ScopeId 192.168.0.0` -11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: +11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1: ```powershell Get-DnsServerForwarder @@ -717,7 +703,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ReorderedIPAddress : 192.168.0.2 ``` - If this output is not displayed, you can use the following command to add SRV1 as a forwarder: + If this output isn't displayed, you can use the following command to add SRV1 as a forwarder: ```powershell Add-DnsServerForwarder -IPAddress 192.168.0.2 @@ -725,9 +711,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to **Configure service and user accounts** - Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. + Windows 10 deployment with Configuration Manager and MDT requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire. - To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + To keep this test lab relatively simple, we won't create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) On DC1, open an elevated Windows PowerShell prompt and type the following commands: @@ -746,9 +732,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 12. Minimize the DC1 VM window but **do not stop** the VM. - Next, the client VM will be started and joined to the contoso.com domain. This is done before adding a gateway to the PoC network so that there is no danger of duplicate DNS registrations for the physical client and its cloned VM in the corporate domain. + Next, the client VM will be started and joined to the contoso.com domain. This action is done before adding a gateway to the PoC network so that there's no danger of duplicate DNS registrations for the physical client and its cloned VM in the domain. -13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: +13. If the PC1 VM isn't started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it: ```powershell Start-VM PC1 @@ -757,19 +743,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 14. Sign in to PC1 using an account that has local administrator rights. - PC1 will be disconnected from its current domain, so you cannot use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. + PC1 will be disconnected from its current domain, so you can't use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account. -15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. +15. After you sign in, Windows detects that it's running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you'll be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area. ![PoC 1.](images/installing-drivers.png) - If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + If the client was configured with a static address, you must change this address to a dynamic one so that it can obtain a DHCP lease. -16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. +16. When the new network adapter driver has completed installation, you'll receive an alert to set a network location for the contoso.com network. Select **Work network** and then select **Close**. When you receive an alert that a restart is required, select **Restart Later**. 17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. - To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows PowerShell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: + To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection: ```console ipconfig @@ -803,9 +789,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ``` > [!NOTE] - > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. + > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it's possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then select **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: ```powershell (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0) @@ -816,13 +802,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Restart-Computer ``` - If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + If you don't see the script pane, select **View** and verify **Show Script Pane Top** is enabled. Select **File** and then select **New**. See the following example: :::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png"::: -19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. +19. Select **File**, select **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host. 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1: @@ -832,9 +818,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ``` > [!NOTE] - > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. + > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. + If the copy-vmfile command doesn't work and you can't properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode isn't available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the `.ps1` extension and not as a text (`.txt`) file. 21. On PC1, type the following commands at an elevated Windows PowerShell prompt: @@ -842,14 +828,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Get-Content c:\pc1.ps1 | powershell.exe -noprofile - ``` - The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. + The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the network so as to ensure the computer object in the domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. > [!IMPORTANT] > The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +23. Minimize the PC1 window but don't turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This action verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: @@ -858,7 +844,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to vmconnect localhost SRV1 ``` -25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +25. Accept the default settings, read license terms and accept them, provide a strong administrator password, and select **Finish**. When you're prompted about finding PCs, devices, and content on the network, select **Yes**. 26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. @@ -892,12 +878,12 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Install-WindowsFeature -Name Routing -IncludeManagementTools ``` -30. Before configuring the routing service that was just installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. +30. Before configuring the routing service that was installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease. To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below: ```powershell - Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias + Get-NetAdapter | ? status -eq 'up' | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias IPAddress InterfaceAlias --------- -------------- @@ -905,11 +891,10 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 192.168.0.2 Ethernet ``` - In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings. - - >[!TIP] - >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. + In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your network. If so, you can try removing and readding the second network interface from the SRV1 VM through its Hyper-V settings. + > [!TIP] + > Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. 31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1: @@ -921,19 +906,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE ``` -32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: +32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This step can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command: ```powershell Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1 ``` -33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: +33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example: ```powershell ping www.microsoft.com ``` - If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command. > [!NOTE] > This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: @@ -942,7 +927,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses ``` -34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK): +34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK): ```powershell PS C:\> ping www.microsoft.com @@ -959,15 +944,15 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to Minimum = 1ms, Maximum = 3ms, Average = 2ms ``` -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. -36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: +35. Verify that all three VMs can reach each other, and the internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: ```powershell runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm" Restart-Computer ``` -This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides. +This process completes configuration of the starting PoC environment. More services and tools are installed in subsequent guides. ## Appendix A: Verify the configuration @@ -987,19 +972,19 @@ Use the following procedures to verify that the PoC environment is configured pr ``` **Get-Service** displays a status of "Running" for all three services. - + **DCDiag** displays "passed test" for all tests. - - **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Additional address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered. - + + **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Other address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered. + **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2. - + **Resolve-DnsName** displays public IP address results for `www.microsoft.com`. **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`. - - **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host). - + + **Get-DhcpServerv4Statistics** displays one scope with two addresses in use. These addresses belong to PC1 and the Hyper-V host. + **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands: @@ -1014,13 +999,13 @@ Use the following procedures to verify that the PoC environment is configured pr **Get-Service** displays a status of "Running" for both services. - **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you are required to use so that SRV1 can resolve Internet names. + **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you're required to use so that SRV1 can resolve internet names. **Resolve-DnsName** displays public IP address results for `www.microsoft.com`. - **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your corporate domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP addresses of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your corporate network. + **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP address of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your network. - **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your corporate network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. + **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1. 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands: @@ -1038,11 +1023,10 @@ Use the following procedures to verify that the PoC environment is configured pr **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`. - **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it cannot be resolved, "..could not find host" will be displayed and if the target is found and also responds to ICMP, you will see "Reply from" and the IP address of the target. + **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "could not find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target. **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination. - ## Appendix B: Terminology used in this guide |Term|Definition| @@ -1058,9 +1042,6 @@ Use the following procedures to verify that the PoC environment is configured pr |Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.| |VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.| -## Related Topics - +## Next steps [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) - - diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 03e2aee015..f0e2079b1c 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,63 +1,60 @@ --- title: Demonstrate Autopilot deployment manager: dougeby -description: In this article, find step-by-step instructions on how to set up a Virtual Machine with a Windows Autopilot deployment. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade +description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment. ms.prod: w10 -ms.mktglfcycl: deploy +ms.technology: windows ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy author: aczechowski ms.author: aaroncz ms.collection: - M365-modern-desktop - highpri -ms.topic: article -ms.custom: - - autopilot - - seo-marvel-apr2020 +ms.topic: tutorial +ms.date: 05/12/2022 --- - # Demonstrate Autopilot deployment -**Applies to** +*Applies to* - Windows 10 -To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. +To get started with Windows Autopilot, you should try it out with a virtual machine (VM). You can also use a physical device that will be wiped and then have a fresh install of Windows 10. -In this topic, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V. +In this article, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V. > [!NOTE] -> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Intune. +> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Microsoft Intune. > -> Hyper-V and a VM are not required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. +> Hyper-V and a VM aren't required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to _device_ in the guide refer to the client device, either physical or virtual. The following video provides an overview of the process: -
- +> [!VIDEO https://www.youtube.com/embed/KYVptkpsOqs] +> [!TIP] > For a list of terms used in this guide, see the [Glossary](#glossary) section. ## Prerequisites -These are the things you'll need to complete this lab: +You'll need the following components to complete this lab: -| | Description | +| Component | Description | |:---|:---| -|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, General Availability Channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.| -|**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.| +|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.| +|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.| |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.| -|**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| +|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.| + +> [!NOTE] +> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). ## Procedures A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices. -If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version. +If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or later. - [Verify support for Hyper-V](#verify-support-for-hyper-v) - [Enable Hyper-V](#enable-hyper-v) @@ -107,7 +104,7 @@ To enable Hyper-V, open an elevated Windows PowerShell prompt and run the follow Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All ``` -This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command: +This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type another command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command: ```powershell Install-WindowsFeature -Name Hyper-V -IncludeManagementTools @@ -139,17 +136,18 @@ To use Windows PowerShell, you need to know two things: 2. The name of the network interface that connects to the internet. - In the example, you'll use a Windows PowerShell command to determine this automatically. + In the example, you'll use a Windows PowerShell command to determine this information automatically. After you determine the ISO file location and the name of the appropriate network interface, you can install Windows 10. ### Set ISO file location -You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). +Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version. -When asked to select a platform, choose **64 bit**. +> [!NOTE] +> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125). -After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). +After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso` 1. So that it's easier to type and remember, rename the file to **win10-eval.iso**. @@ -165,9 +163,9 @@ The **Get-NetAdaper** cmdlet is used to automatically find the network adapter t (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name ``` -The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name. +The output of this command should be the name of the network interface you use to connect to the internet. Verify that this interface name is correct. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name. -For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be **New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. +For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be `New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2` ### Use Windows PowerShell to create the demo VM @@ -176,7 +174,7 @@ All VM data will be created under the current path in your PowerShell prompt. Co > [!IMPORTANT] > **VM switch**: a VM switch is how Hyper-V connects VMs to a network. > ->- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal." +>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to `AutopilotExternal`. >- If you have never created an external VM switch before, then just run the commands below. >- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). @@ -187,9 +185,9 @@ Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot ``` -After you enter these commands, connect to the VM that you just created. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD. +After you enter these commands, connect to this VM. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD. -See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. +See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used, which is only available on Windows Server. If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. 
 PS C:\autopilot> dir c:\iso
@@ -250,7 +248,7 @@ Make sure that the VM booted from the installation ISO, select **Next**, select
 
    ![Windows setup example 6](images/winsetup6.png)
 
-After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This offers the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This option offers the fastest way to the desktop. For example:
 
    ![Windows setup example 7.](images/winsetup7.png)
 
@@ -259,7 +257,7 @@ Once the installation is complete, sign in and verify that you're at the Windows
    > [!div class="mx-imgBorder"]
    > ![Windows setup example 8.](images/winsetup8.png)
 
-To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following command:
 
 ```powershell
 Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
@@ -327,7 +325,7 @@ Follow these steps to run the PowerShell script:
     
     PS C:\HWID>
     ```
-    
+
 1. Verify that there's an **AutopilotHWID.csv** file in the **c:\HWID** directory that's about 8 KB in size. This file contains the complete 4K HH.
 
    > [!NOTE]
@@ -335,19 +333,20 @@ Follow these steps to run the PowerShell script:
 
    ![Serial number and hardware hash.](images/hwid.png)
 
-   You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you’re using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
+   You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you're using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
 
-   If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor to do this.
+   If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor.
 
    > [!NOTE]
    > When copying and pasting to or from VMs, avoid selecting other things with your mouse cursor in between the copy and paste process. Doing so can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
 
 ## Reset the VM back to Out-Of-Box-Experience (OOBE)
 
-With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
+With the hardware ID captured in a file, prepare your VM for Windows Autopilot deployment by resetting it back to OOBE.
 
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**.
+1. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
+1. Select **Remove everything**. On **How would you like to reinstall Windows**, select **Local reinstall**.
+1. Finally, select **Reset**.
 
 ![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
 
@@ -357,13 +356,13 @@ Resetting the VM or device can take a while. Proceed to the next step (verify su
 
 ## Verify subscription level
 
-For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) in the Azure portal. See the following example:
 
 **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
 
 ![MDM and Intune.](images/mdm-intune2.png)
 
-If the configuration blade shown above doesn't appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in Azure AD Premium.
+If this configuration doesn't appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in Azure AD Premium.
 
 To convert your Intune trial account to a free Premium trial account, go to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
 
@@ -414,7 +413,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
     You should receive confirmation that the file is formatted correctly before you upload it, as shown above.
 
-3. Select **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Select **Import** and wait until the import process completes. This action can take up to 15 minutes.
 
 4. Select **Refresh** to verify your VM or device is added. See the following example.
 
@@ -465,7 +464,7 @@ The Autopilot deployment profile wizard asks for a device group, so you must cre
 
 1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
 
-2. In the **Group** blade:
+2. In the **Group** pane:
     1. For **Group type**, choose **Security**.
     2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
     3. Azure AD roles can be assigned to the group: **No**
@@ -490,7 +489,7 @@ Select **Create profile** and then select **Windows PC**.
 > [!div class="mx-imgBorder"]
 > ![Create deployment profile.](images/create-profile.png)
 
-On the **Create profile** blade, use the following values:
+On the **Create profile** pane, use the following values:
 
 | Setting | Value |
 |---|---|
@@ -580,7 +579,7 @@ To confirm the profile was successfully assigned to the intended device, check t
 
 ## See Windows Autopilot in action
 
-If you shut down your VM after the last reset, it's time to start it back up again so it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
+If you shut down your VM after the last reset, start it again. Then it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
 
 > [!div class="mx-imgBorder"]
 > ![Device status.](images/device-status.png)
@@ -596,7 +595,7 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
 
 ![OOBE sign-in page.](images/autopilot-oobe.png)
 
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**. Then, **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+After the device loads the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go to the Intune portal, and select **Devices > All devices**. Then **Refresh** the data to verify that your device has changed to an enabled state, and the name of the device is updated.
 
 > [!div class="mx-imgBorder"]
 > ![Device enabled.](images/devices1.png)
@@ -619,9 +618,9 @@ You need to delete (or retire, or factory reset) the device from Intune before d
 > [!div class="mx-imgBorder"]
 > ![Delete device step 1.](images/delete-device1.png)
 
-This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this action doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
 
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
 
 > [!NOTE]
 > A device only appears in the **All devices** list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
@@ -684,7 +683,7 @@ EPT             *       Supports Intel extended page tables (SLAT)
 
 #### Prepare the app for Intune
 
-Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following information to use the tool:
 
 1. The source folder for your application
 2. The name of the setup executable file
@@ -699,11 +698,11 @@ Run the IntuneWinAppUtil tool, supplying answers to the three questions, for exa
 > [!div class="mx-imgBorder"]
 > ![Add app example.](images/app01.png)
 
-After the tool finishes running, you should have an .intunewin file in the Output folder. You can upload the file into Intune by using the following steps.
+After the tool finishes running, you should have an `.intunewin` file in the Output folder. You can upload the file into Intune by using the following steps.
 
 #### Create app in Intune
 
-Log in to the Azure portal, and then select **Intune**.
+Sign in to the Azure portal, and then select **Intune**.
 
 Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
 
@@ -713,16 +712,16 @@ Under **App Type**, select **Windows app (Win32)**:
 
 ![Add app step 2.](images/app03.png)
 
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then select **OK**:
+On the **App package file** pane, browse to the `npp.7.6.3.installer.x64.intunewin` file in your output folder, open it, then select **OK**:
 
 > [!div class="mx-imgBorder"]
 > ![Add app step 3.](images/app04.png)
 
-On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
+On the **App Information Configure** pane, provide a friendly name, description, and publisher, such as:
 
 ![Add app step 4.](images/app05.png)
 
-On the **Program Configuration** blade, supply the install and uninstall commands:
+On the **Program Configuration** pane, supply the install and uninstall commands:
 
 ```console
 Install:  msiexec /i "npp.7.6.3.installer.x64.msi" /q
@@ -734,11 +733,11 @@ Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
 
 ![Add app step 5.](images/app06.png)
 
-Simply using an install command like "notepad++.exe /S" doesn't actually install Notepad++; it only launches the app. To install the program, you need to use the .msi file instead. Notepad++ doesn't have a .msi version of their program, but there's a .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like `notepad++.exe /S` doesn't actually install Notepad++. It only launches the app. To install the program, you need to use the `.msi` file instead. Notepad++ doesn't have an MSI version of their program, but there's an MSI version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
 
-Select **OK** to save your input and activate the **Requirements** blade.
+Select **OK** to save your input and activate the **Requirements** pane.
 
-On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
+On the **Requirements Configuration** pane, specify the **OS architecture** and the **Minimum OS version**:
 
 > [!div class="mx-imgBorder"]
 > ![Add app step 6.](images/app07.png)
@@ -752,7 +751,7 @@ Select **Add** to define the rule properties. For **Rule type**, select **MSI**,
 
 ![Add app step 8.](images/app09.png)
 
-Select **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Select **OK** twice to save, as you back out to the main **Add app** pane again for the final configuration.
 
 **Return codes**: For the purposes of this lab, leave the return codes at their default values:
 
@@ -761,7 +760,7 @@ Select **OK** twice to save, as you back out to the main **Add app** blade again
 
 Select **OK** to exit.
 
-You can skip configuring the final **Scope (Tags)** blade.
+You can skip configuring the final **Scope (Tags)** pane.
 
 Select the **Add** button to finalize and save your app package.
 
@@ -780,7 +779,7 @@ Find your app in your app list:
 > [!NOTE]
 > The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
 
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties pane. Then select **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
 > ![Assign app step 1.](images/app13.png)
@@ -818,7 +817,7 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap
 
 #### Create app in Microsoft Endpoint Manager
 
-Log in to the Azure portal and select **Intune**.
+Sign in to the Azure portal and select **Intune**.
 
 Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
 
@@ -855,7 +854,7 @@ Select **OK** and, then select **Add**.
 > [!NOTE]
 > The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
 
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then select **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties pane. Then select **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
 > ![Create app step 6.](images/app22.png)
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index c1316fbac4..b8dc2f684f 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -1,6 +1,6 @@
 ---
 title: Secure the Windows boot process
-description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications
+description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
 keywords: trusted boot, windows boot process
 ms.prod: m365-security
 ms.mktglfcycl: Explore
@@ -14,124 +14,123 @@ ms.collection:
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 11/24/2021
+ms.date: 05/12/2022
 ms.author: dansimp
 ---
 
 # Secure the Windows boot process
 
-**Applies to:**
--  Windows 11
--  Windows 10
--  Windows 8.1
+*Applies to:*
 
+- Windows 11
+- Windows 10
+- Windows 8.1
 
-The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
+The Windows OS has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 OS includes a series of security features that can mitigate the effect. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings.
 
-Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
+Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it's recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control.
 
-Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden.
+Those components are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware, and bootkits specifically, are capable of starting before Windows, completely bypassing OS security, and remaining hidden.
 
-When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
-
-First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you.
+When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can't remain hidden; Trusted Boot can prove the system's integrity to your infrastructure in a way that malware can't disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows.
 
+First, let's examine what rootkits are and how they work. Then, we'll show you how Windows can protect you.
 
 ## The threat: rootkits
 
-*Rootkits* are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
+*Rootkits* are a sophisticated and dangerous type of malware. They run in kernel mode, using the same privileges as the OS. Because rootkits have the same rights as the OS and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
 
 Different types of rootkits load during different phases of the startup process:
 
--  **Firmware rootkits.** These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows.
--  **Bootkits.** These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system.
--  **Kernel rootkits.** These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
--  **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
+- **Firmware rootkits.** These kits overwrite the firmware of the PC's basic input/output system or other hardware so the rootkit can start before Windows.
+- **Bootkits.** These kits replace the OS's bootloader (the small piece of software that starts the OS) so that the PC loads the bootkit before the OS.
+- **Kernel rootkits.** These kits replace a portion of the OS kernel so the rootkit can start automatically when the OS loads.
+- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
 
 ## The countermeasures
+
 Windows supports four features to help prevent rootkits and bootkits from loading during the startup process:
--  **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders.
--  **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
--  **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
--  **Measured Boot.** The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health.
 
-Figure 1 shows the Windows startup process.
+- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted OS bootloaders.
+- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it.
+- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
+- **Measured Boot.** The PC's firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC's health.
 
+Figure 1 shows the Windows startup process.
 
-![Windows startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
+![Windows startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
 
-**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
+*Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage*
 
-Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
+Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
 
 The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.
 
 ## Secure Boot
-When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit.
 
-When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
+When a PC starts, it first finds the OS bootloader. PCs without Secure Boot run whatever bootloader is on the PC's hard drive. There's no way for the PC to tell whether it's a trusted OS or a rootkit.
 
--  **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows, the Microsoft® certificate is trusted.
--  **The user has manually approved the bootloader’s digital signature.** This allows the user to load non-Microsoft operating systems.
+When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader's digital signature to verify that it hasn't been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
+
+- **The bootloader was signed using a trusted certificate.** For PCs certified for Windows, the Microsoft certificate is trusted.
+- **The user has manually approved the bootloader's digital signature.** This action allows the user to load non-Microsoft operating systems.
 
 All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot:
 
--  They must have Secure Boot enabled by default.
--  They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
--  They must allow the user to configure Secure Boot to trust other bootloaders.
--  They must allow the user to completely disable Secure Boot.
+- They must have Secure Boot enabled by default.
+- They must trust Microsoft's certificate (and thus any bootloader Microsoft has signed).
+- They must allow the user to configure Secure Boot to trust other bootloaders.
+- They must allow the user to completely disable Secure Boot.
 
-These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
+These requirements help protect you from rootkits while allowing you to run any OS you want. You have three options for running non-Microsoft operating systems:
 
--  **Use an operating system with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to .
--  **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
--  **Turn off Secure Boot.** All Certified For Windows PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
+- **Use an OS with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft's certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to .
+- **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any OS, including homemade operating systems.
+- **Turn off Secure Boot.** All *Certified For Windows* PCs allow you to turn off Secure Boot so that you can run any software. This action doesn't help protect you from bootkits, however.
 
-To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
+To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
 
-Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.
+Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
 
 ## Trusted Boot
-Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
+Trusted Boot takes over where Secure Boot ends. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
 
 ## Early Launch Anti-Malware
-Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
 
-Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
+Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don't start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
 
-An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps.
+Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the OS hasn't started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it's not trusted, Windows won't load it.
+
+An ELAM driver isn't a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does several non-Microsoft anti-malware apps.
 
 ## Measured Boot
-If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
+
+If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn't work with rootkits that hide their presence. In other words, you can't trust the client to tell you whether it's healthy.
 
 As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network.
 
-Working with the TPM and non-Microsoft software, Measured Boot in Windows allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
+Measured Boot works with the TPM and non-Microsoft software in Windows. It allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
 
-1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
+1. The PC's UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
 2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
 3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
 4. The client sends the log to the server, possibly with other security information.
 
-Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.
-
-Figure 2 illustrates the Measured Boot and remote attestation process.
+Depending on the implementation and configuration, the server can now determine whether the client is healthy. It can grant the client access to either a limited quarantine network or to the full network.
 
+Figure 2 illustrates the Measured Boot and remote attestation process.
 
 ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
+*Figure 2. Measured Boot proves the PC's health to a remote server*
 
-**Figure 2. Measured Boot proves the PC’s health to a remote server**
-
-
-Windows includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
+Windows includes the application programming interfaces to support Measured Boot, but you'll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For example, see the following tools from Microsoft Research:
 - [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
 - [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
 
 Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the trustworthiness of a client PC across the network.
 
 ## Summary
-Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system.
 
-## Additional resources
--  [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)
+Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. With Windows, you can trust the integrity of your OS.

From 7e8d0441c7406ad08b92fc1021ee5b7930f5d6bc Mon Sep 17 00:00:00 2001
From: Aaron Czechowski 
Date: Thu, 12 May 2022 20:12:15 -0700
Subject: [PATCH 20/25] fix anchors

---
 windows/deployment/windows-10-poc-sc-config-mgr.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 80c6f19c7c..4e44be3f92 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -50,9 +50,9 @@ The procedures in this guide are summarized in the following table. An estimate
 |[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
 |[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
 |[Create a Windows 10 reference image](#create-a-windows-10-reference-image)|This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.|0-60 minutes|
-|[Add a Windows 10 OS image](#add-a-windows-10-operating-system-image)|Add a Windows 10 OS image and distribute it.|10 minutes|
+|[Add a Windows 10 OS image](#add-a-windows-10-os-image)|Add a Windows 10 OS image and distribute it.|10 minutes|
 |[Create a task sequence](#create-a-task-sequence)|Create a Configuration Manager task sequence with MDT integration using the MDT wizard|15 minutes|
-|[Finalize the OS configuration](#finalize-the-operating-system-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
+|[Finalize the OS configuration](#finalize-the-os-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
 |[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)|Deploy Windows 10 using Configuration Manager deployment packages and task sequences.|60 minutes|
 |[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)|Replace a client computer with Windows 10 using Configuration Manager.|90 minutes|
 |[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)|Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT|90 minutes|
@@ -423,7 +423,7 @@ WDSUTIL /Set-Server /AnswerClients:None
 
 ### Create a Windows 10 reference image
 
-If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-operating-system-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
+If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
 
 1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
 

From ca352e2527575bb4a72a839b1569b31fa91dcf77 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:31:54 +0530
Subject: [PATCH 21/25] PubOps comment fixes

---
 windows/client-management/mdm/accounts-csp.md           | 2 +-
 windows/client-management/mdm/activesync-csp.md         | 2 +-
 windows/client-management/mdm/alljoynmanagement-csp.md  | 2 +-
 windows/client-management/mdm/application-csp.md        | 4 ++--
 windows/client-management/mdm/applicationcontrol-csp.md | 2 +-
 windows/client-management/mdm/applocker-csp.md          | 2 +-
 windows/client-management/mdm/assignedaccess-csp.md     | 2 +-
 windows/client-management/mdm/certificatestore-csp.md   | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index e1714be3c1..94eba45c92 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -27,7 +27,7 @@ The Accounts configuration service provider (CSP) is used by the enterprise (1)
 
 The following syntax shows the Accounts configuration service provider in tree format.
 
-```
+```console
 ./Device/Vendor/MSFT
 Accounts
 ----Domain
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index b65de09282..3cc8bc3399 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -37,7 +37,7 @@ The `./Vendor/MSFT/ActiveSync path` is deprecated, but will continue to work in
 
 The following example shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
 
-```
+```console
 ./Vendor/MSFT
 ActiveSync
 ----Accounts
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index e4676371cb..589580af1a 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -25,7 +25,7 @@ For the firewall settings, note that PublicProfile and PrivateProfile are mutual
 
 The following example shows the AllJoynManagement configuration service provider in tree format
 
-```
+```console
 ./Vendor/MSFT
 AllJoynManagement
 ----Configurations
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index b935548199..f09f6f0d3d 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -30,9 +30,9 @@ OMA considers each transport to be an application and requires a corresponding A
 
 The following list shows the supported transports:
 
-- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
+- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md).
 
-- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
+- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md).
 
 The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
 
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index cc06d82b40..3beb09b98d 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -29,7 +29,7 @@ Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can
 
 The following example shows the ApplicationControl CSP in tree format.
 
-```
+```console
 ./Vendor/MSFT
 ApplicationControl
 ----Policies
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 05f97fc04b..c70d901cd1 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -83,7 +83,7 @@ Defines restrictions for applications.
 
 > [!NOTE]
 > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
-
+>
 > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node.
 
 > [!NOTE]
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 2300fbd281..5f61ca771d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -40,7 +40,7 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
 
 The following example shows the AssignedAccess configuration service provider in tree format
 
-```
+```console
 ./Vendor/MSFT
 AssignedAccess
 ----KioskModeApp
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 8afad07519..010ec8b52d 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -34,7 +34,7 @@ For the CertificateStore CSP, you can't use the Replace command unless the node
 
 The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
 
-```
+```console
 ./Vendor/MSFT
 CertificateStore
 ----ROOT

From 597c3bdb70bc7e77aebdb93d13d6b96c1c3b2b05 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:39:47 +0530
Subject: [PATCH 22/25] PubOps comment fixes

---
 .../mdm/win32compatibilityappraiser-csp.md                | 8 ++++----
 .../mdm/windowsadvancedthreatprotection-csp.md            | 2 +-
 .../mdm/windowsdefenderapplicationguard-csp.md            | 3 ++-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index f2a5fc1a7b..b3a8915e7f 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -98,10 +98,10 @@ An integer value representing whether the installed versions of the Compatibilit
 
 The values are:
   
-- 0 == Neither the code nor data is of a sufficient version  
-- 1 == The code version is insufficient but the data version is sufficient 
-- 2 == The code version is sufficient but the data version is insufficient
-- 3 == Both the code and data are of a sufficient version
+- 0 == Neither the code nor data is of a sufficient version. 
+- 1 == The code version is insufficient but the data version is sufficient.
+- 2 == The code version is sufficient but the data version is insufficient.
+- 3 == Both the code and data are of a sufficient version.
 
 Value type is integer. 
 
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index e72179a48c..c9940fce4d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -82,7 +82,7 @@ Supported operation is Get.
 
 The following list shows the supported values:
 
-- 0 (default) – Not onboarded.
+- 0 (default) – Not onboarded
 - 1 – Onboarded
 
 **HealthState/OrgId**  
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 0ec8ff5709..10551772c3 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -26,7 +26,8 @@ The table below shows the applicability of Windows:
 The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
 
 The following example shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
-```
+
+```console
 ./Device/Vendor/MSFT
 WindowsDefenderApplicationGuard
 ----Settings

From 3c242c305d419458f6f3b1eb755b09429fbf772a Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 16 May 2022 08:42:40 +0530
Subject: [PATCH 23/25] PubOps fixes

---
 windows/client-management/mdm/clientcertificateinstall-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index b6b1353815..028cae12a8 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -35,7 +35,7 @@ You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLoc
 
 The following example shows the ClientCertificateInstall configuration service provider in tree format.
 
-```
+```console
 ./Vendor/MSFT
 ClientCertificateInstall
 ----PFXCertInstall

From fd2626397c1ed0daba73c8ca7cd61aa34d7e7225 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT 
Date: Mon, 16 May 2022 09:46:03 -0700
Subject: [PATCH 24/25] Update policy-csp-devicelock.md

---
 windows/client-management/mdm/policy-csp-devicelock.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 44f87d8987..398e28de31 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: dansimp
 ms.localizationpriority: medium
-ms.date: 05/09/2022
+ms.date: 05/16/2022
 ms.reviewer: 
 manager: dansimp
 ---

From da1424e517effbd7bc78a09bb970945158d6df8e Mon Sep 17 00:00:00 2001
From: Angela Fleischmann 
Date: Mon, 16 May 2022 16:27:43 -0600
Subject: [PATCH 25/25] Line 934: Fix error "the it" to "the client"

---
 windows/deployment/windows-10-poc-sc-config-mgr.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 4e44be3f92..9b38379f79 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -931,7 +931,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
     ![site.](images/configmgr-site.png)
 
-    If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the it can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
+    If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
 
 1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.