diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cae74d63a4..dfaf5a09e2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19929,6 +19929,11 @@ "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md", "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/do/mcc-enterprise.md", + "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache", + "redirect_document_id": false }, { "source_path": "windows/client-management/advanced-troubleshooting-802-authentication.md", diff --git a/education/windows/index.yml b/education/windows/index.yml index 8f01835c6d..a84e4b3961 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -7,7 +7,8 @@ metadata: title: Windows for Education documentation description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune ms.topic: landing-page - ms.prod: windows + ms.prod: windows-client + ms.technology: itpro-edu ms.collection: - education - highpri diff --git a/images/grouppolicy-paste.png b/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/images/grouppolicy-paste.png differ diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml index e13b0747f4..73c14c4195 100644 --- a/windows/application-management/index.yml +++ b/windows/application-management/index.yml @@ -1,25 +1,19 @@ ### YamlMime:Landing -title: Windows application management # < 60 chars -summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. # < 160 chars +title: Windows application management +summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions. metadata: - title: Windows application management # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required - ms.collection: - - windows-10 + title: Windows application management + description: Learn about managing applications in Windows 10 and Windows 11. + ms.topic: landing-page + ms.prod: windows-client + ms.collection: - highpri author: nicholasswhite ms.author: nwhite manager: aaroncz - ms.date: 08/24/2021 #Required; mm/dd/yyyy format. - ms.localizationpriority : medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + ms.date: 08/24/2021 landingContent: # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 7fdf68a9fa..ff469792d0 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices. metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-manage ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index fe657489a9..d8bd8ed982 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai metadata: title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - ms.topic: landing-page # Required - services: windows-10 - ms.prod: windows + ms.topic: landing-page + ms.technology: itpro-manage + ms.prod: windows-client ms.collection: - - windows-10 - highpri ms.custom: intro-hub-or-landing author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 441350957a..828657eada 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1457,9 +1457,11 @@ ADMX Info: Set this policy to restrict peer selection via selected option. -Options available are: 1=Subnet mask (more options will be added in a future release). +In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery". -Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2). +If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). + +The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds. @@ -1474,7 +1476,9 @@ ADMX Info: The following list shows the supported values: -- 1 - Subnet mask. +- 0 - NAT +- 1 - Subnet mask +- 2 - Local Peer Discovery diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 8475dbc0d9..ee0b9dac66 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4426,7 +4426,7 @@ The following list shows the supported values: ADMX Info: - GP Friendly name: *Enable extended hot keys in Internet Explorer mode* - GP name: *EnableExtendedIEModeHotkeys* -- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP path: *Windows Components/Internet Explorer/Main* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 13fe288906..693f130feb 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol -List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. +List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character. > [!NOTE] > This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 32217ff75b..10e2076e07 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura Example 1: Azure Active Directory focused. -The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. +The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml - + @@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] -> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. +> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group. Example: ```xml - + @@ -134,11 +134,11 @@ Example: Example 3: Update action for adding and removing group members on a hybrid joined machine. -The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. +The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml - + diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index be1a9d7a92..fe0ebfbafc 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1 metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice ms.topic: landing-page # Required + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index a732f8301a..85b109b135 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -221,7 +221,11 @@ - name: UCClientUpdateStatus href: update/wufb-reports-schema-ucclientupdatestatus.md - name: UCDeviceAlert - href: update/wufb-reports-schema-ucdevicealert.md + href: update/wufb-reports-schema-ucdevicealert.md + - name: UCDOAggregatedStatus + href: update/wufb-reports-schema-ucdoaggregatedstatus.md + - name: UCDOStatus + href: update/wufb-reports-schema-ucdostatus.md - name: UCServiceUpdateStatus href: update/wufb-reports-schema-ucserviceupdatestatus.md - name: UCUpdateAlert diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index c723dc30ae..23b36c4d59 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -15,46 +15,53 @@ ms.date: 10/27/2022 # Add a Windows 10 operating system image using Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point. ## Infrastructure For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ->[!IMPORTANT] ->The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. +> [!IMPORTANT] +> The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below. - ## Add a Windows 10 operating system image +## Add a Windows 10 operating system image On **CM01**: -1. Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. -2. Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder. +1. Using File Explorer, in the **`D:\Sources\OSD\OS`** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**. + +2. Copy the `REFW10-X64-001.wim` file to the **`D:\Sources\OSD\OS\Windows 10 Enterprise x64 RTM`** folder. ![figure 17.](../images/ref-image.png) The Windows 10 image being copied to the Sources folder structure. -3. Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**. -4. On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then select **Next**. -5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. -6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +3. Using the Configuration Manager Console, in the **Software Library** workspace, right-click **Operating System Images**, and select **Add Operating System Image**. + +4. On the **Data Source** page, in the **Path:** text box, browse to **`\\CM01\Sources$\OSD\OS\Windows 10 Enterprise x64 RTM\REFW10-X64-001.wim`**, select x64 next to Architecture and choose a language, then select **Next**. + +5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**. + +6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) The distributed Windows 10 Enterprise x64 RTM package. -Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). +Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 7dfcbe25b8..feff4155ed 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -15,25 +15,26 @@ ms.date: 10/27/2022 # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In this article, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add drivers for Windows PE -This section will show you how to import some network and storage drivers for Windows PE. +This section will show you how to import some network and storage drivers for Windows PE. ->[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +> [!NOTE] +> Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **`D:\Sources\OSD\DriverSources\WinPE x64`** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -41,12 +42,18 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\WinPE x64`** folder and select **Next**. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **WinPE x64**, and then select **Next**. + 4. On the **Select the packages to add the imported driver** page, select **Next**. + 5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and select **Next**. + 6. In the popup window that appears, select **Yes** to automatically update the distribution point. + 7. Select **Next**, wait for the image to be updated, and then select **Close**. ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)
@@ -68,27 +75,28 @@ Driver folder structure on CM01 On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. -2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and select **Next**. Wait a minute for driver information to be validated. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**. + +2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** folder and select **Next**. Wait a minute for driver information to be validated. + 3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, select **OK**, and then select **Next**. ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories") Create driver categories - 4. On the **Select the packages to add the imported driver** page, select **New Package**, use the following settings for the package, and then select **Next**: - * Name: Windows 10 x64 - HP EliteBook 8560w - * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w + - Name: Windows 10 x64 - HP EliteBook 8560w + - Path: **`\\CM01\Sources$\OSD\DriverPackages\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** - >[!NOTE] - >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. + > [!NOTE] + > The package path does not yet exist so it has to be created by typing it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**. - >[!NOTE] - >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. + > [!NOTE] + > If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created") diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 25f8bd58cf..bc6f5f88b1 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -15,14 +15,16 @@ ms.date: 10/27/2022 # Create a custom Windows PE boot image with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. + - The boot image that is created is based on the version of ADK that is installed. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -31,16 +33,21 @@ For the purposes of this guide, we'll use one server computer: CM01. The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools, and later skip adding the DaRT component to the boot image. -We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **`C:\Setup\Branding`** on CM01. In this section, we use a custom background image named [ContosoBackground.png](../images/ContosoBackground.png) On **CM01**: -1. Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings. -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. -3. Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder. -4. Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder. -5. Using File Explorer, navigate to the **C:\\Setup** folder. -6. Copy the **Branding** folder to **D:\\Sources\\OSD**. +1. Install DaRT 10 (**`C:\\Setup\\DaRT 10\\MSDaRT100.msi`**) using the default settings. + +2. Using File Explorer, navigate to the **`C:\Program Files\Microsoft DaRT\v10`** folder. + +3. Copy the Toolsx64.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64`** folder. + +4. Copy the Toolsx86.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86`** folder. + +5. Using File Explorer, navigate to the **`C:\Setup`** folder. + +6. Copy the **Branding** folder to **`D:\Sources\OSD`**. ## Create a boot image for Configuration Manager using the MDT wizard @@ -48,15 +55,18 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. -2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and select **Next**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**. - >[!NOTE] - >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. +2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Boot\Zero Touch WinPE x64`** and select **Next**. -3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. -4. On the **Options** page, select the **x64** platform, and select **Next**. -5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. + > [!NOTE] + > The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard. + +3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**. + +4. On the **Options** page, select the **x64** platform, and select **Next**. + +5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**. ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image") @@ -64,19 +74,25 @@ On **CM01**: >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE. -6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. -7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. -8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **`\\CM01\Sources$\OSD\Branding\ContosoBackground.bmp`** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**. + +7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. + +8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. + +9. Using Configuration Manager Trace, review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **Monitoring** > **Overview** > **Distribution Status** > **Content Status** > **Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) Content status for the Zero Touch WinPE x64 boot image -10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. +10. Using the Configuration Manager Console, in the **Software Library** workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**. + 11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and select **OK**. + 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**. + 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below: ![PS100009 step 1.](../images/ps100009-1.png)
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 3378ffe20d..dc5fff054b 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Create a task sequence with Configuration Manager and MDT -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -31,32 +32,46 @@ This section walks you through the process of creating a Configuration Manager t On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. -2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. -3. On the **General** page, assign the following settings and then select **Next**: - * Task sequence name: Windows 10 Enterprise x64 RTM - * Task sequence comments: Production image with Office 365 Pro Plus x64 -4. On the **Details** page, assign the following settings and then select **Next**: - * Join a Domain - * Domain: contoso.com - * Account: contoso\\CM\_JD - * Password: pass@word1 - * Windows Settings - * User name: Contoso - * Organization name: Contoso - * Product key: <blank> +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + +2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**. + +3. On the **General** page, assign the following settings and then select **Next**: + - Task sequence name: Windows 10 Enterprise x64 RTM + - Task sequence comments: Production image with Office 365 Pro Plus x64 + +4. On the **Details** page, assign the following settings and then select **Next**: + - Join a Domain + - Domain: contoso.com + - Account: contoso\\CM\_JD + - Password: pass@word1 + - Windows Settings + - User name: Contoso + - Organization name: Contoso + - Product key: *\* + +5. On the **Capture Settings** page, accept the default settings, and select **Next**. + +6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\MDT\MDT`**. Then select **Next**. + +8. On the **MDT Details** page, assign the name **MDT** and select **Next**. + +9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. -5. On the **Capture Settings** page, accept the default settings, and select **Next**. -6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then select **Next**. -8. On the **MDT Details** page, assign the name **MDT** and select **Next**. -9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**. 10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and select **Next**. + 11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and select **Next**. + 12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and select **Next**. -13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and select **Next**. + +13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Settings\Windows 10 x64 Settings`** and select **Next**. + 14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and select **Next**. + 15. On the **Sysprep Package** page, select **Next** twice. + 16. On the **Confirmation** page, select **Finish**. ## Edit the task sequence @@ -65,66 +80,70 @@ After you create the task sequence, we recommend that you configure the task seq On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. -2. In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following: - * OSDPreserveDriveLetter: True - - >[!NOTE] - >If you don't change this value, your Windows installation will end up in D:\\Windows. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**. + +2. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). + +3. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) + +4. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. + +5. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: + + - Name: HP EliteBook 8560w + - Driver Package: Windows 10 x64 - HP EliteBook 8560w + - Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w + + > [!NOTE] + > You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' -3. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values). -4. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.) -5. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**. -6. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings: - * Name: HP EliteBook 8560w - * Driver Package: Windows 10 x64 - HP EliteBook 8560w - * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w - - >[!NOTE] - >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%' - ![Driver package options.](../images/fig27-driverpackage.png "Driver package options") - + The driver package options -7. In the **State Restore / Install Applications** group, select the **Install Application** action. -8. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. +6. In the **State Restore / Install Applications** group, select the **Install Application** action. + +7. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list. ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence") Add an application to the Configuration Manager task sequence - >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + > [!NOTE] + > In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the latest Configuration Manager current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: - * Request state storage location to: Restore state from another computer - * If computer account fails to connect to state store, use the Network Access account: selected - * Options: Continue on error - * Options / Add Condition: - * Task Sequence Variable - * USMTLOCAL not equals True +8. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: -10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: - * Options: Continue on error - * Options / Condition: - * Task Sequence Variable - * USMTLOCAL not equals True + - Request state storage location to: Restore state from another computer + - If computer account fails to connect to state store, use the Network Access account: selected + - Options: Continue on error + - Options / Add Condition: + - Task Sequence Variable + - USMTLOCAL not equals True -11. Select **OK**. +9. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: + - Options: Continue on error + - Options / Condition: + - Task Sequence Variable + - USMTLOCAL not equals True + +10. Select **OK**. ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: -1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. -3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. -4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. +1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**, and then select **Packages**. + +2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. + +3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. + +4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**. Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 104e5718ef..7a7d509012 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -15,62 +15,73 @@ ms.date: 10/27/2022 # Create an application to deploy with Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Configuration Manager that you later configure the task sequence to use. For the purposes of this guide, we'll use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. ->[!NOTE] ->The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. + +> [!NOTE] +> The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. ## Example: Create the Adobe Reader application On **CM01**: -1. Create the **D:\Setup** folder if it doesn't already exist. -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: +1. Create the **`D:\Setup`** folder if it doesn't already exist. - ```powershell - Set-Location C:\Users\administrator.CONTOSO\Downloads - .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne - ``` - >Note: the extraction process will create the "Adobe" folder +2. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **`D:\Setup\Adobe`** on CM01. The filename will differ depending on the version of Acrobat Reader. -3. Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder. -4. In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**. -5. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. -6. Right-click the **OSD** folder, and select **Create Application**. -7. In the Create Application Wizard, on the **General** page, use the following settings: +3. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: - * Automatically detect information about this application from installation files - * Type: Windows Installer (\*.msi file) - * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi + ```powershell + Set-Location C:\Users\administrator.CONTOSO\Downloads + .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne + ``` + + > [!NOTE] + > The extraction process will create the "Adobe" folder. + +4. Using File Explorer, copy the **`D:\Setup\Adobe`** folder to the **`D:\Sources\Software\Adobe`** folder. + +5. In the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**. + +6. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**. + +7. Right-click the **OSD** folder, and select **Create Application**. + +8. In the Create Application Wizard, on the **General** page, use the following settings: + + - Automatically detect information about this application from installation files + - Type: Windows Installer (\*.msi file) + - Location: `\\CM01\Sources$\Software\Adobe\AcroRead.msi` ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard") The Create Application Wizard -8. Select **Next**, and wait while Configuration Manager parses the MSI file. -9. On the **Import Information** page, review the information and then select **Next**. -10. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. +9. Select **Next**, and wait while Configuration Manager parses the MSI file. - >[!NOTE] - >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. +10. On the **Import Information** page, review the information and then select **Next**. + +11. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**. + + > [!NOTE] + > Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence. - ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") + ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name") - Add the "OSD Install" suffix to the application name + Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. +12. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). -Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). +13. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**. + +Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). ## Related articles diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index c9e0d32d11..6a0dd625b6 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -14,13 +14,14 @@ ms.date: 10/27/2022 # Deploy Windows 10 using PXE and Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. This article will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this article. This article assumes that you've completed the following prerequisite procedures: + - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -30,37 +31,49 @@ This article assumes that you've completed the following prerequisite procedures - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). + - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. + + - CM01 is also running WDS that will be required to start PC0001 via PXE. + + > [!NOTE] + > Ensure that only CM01 is running WDS. + - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. ->[!NOTE] ->If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This connection isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. ->[!NOTE] ->No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. +> [!NOTE] +> No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. ## Procedures 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. -2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and select **Next**. + +2. On the **Welcome to the Task Sequence Wizard** page, enter in the password **pass\@word1** and select **Next**. + 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and select **Next**. -4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and select **OK**. Then select **Next**. -5. The operating system deployment will take several minutes to complete. + +4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, enter **PC0001** and select **OK**. Then select **Next**. + +5. The operating system deployment will take several minutes to complete. + 6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then select **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: - * Install the Windows 10 operating system. - * Install the Configuration Manager client and the client hotfix. - * Join the computer to the domain. - * Install the application added to the task sequence. - - >[!NOTE] - >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. + - Install the Windows 10 operating system. + - Install the Configuration Manager client and the client hotfix. + - Join the computer to the domain. + - Install the application added to the task sequence. + + > [!NOTE] + > You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress. ![MDT monitoring.](../images/pc0001-monitor.png) diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 5bec64ed7d..581ec6010d 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -15,31 +15,32 @@ ms.date: 10/27/2022 # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager -**Applies to** +*Applies to:* -- Windows 10 +- Windows 10 This article walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. For the purposes of this guide, we'll use one server computer: CM01. + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Enable MDT monitoring -This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. +This section will walk you through the process of creating the **`D:\MDTProduction`** deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager. On **CM01**: -1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: +1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard: - * Deployment share path: D:\\MDTProduction - * Share name: MDTProduction$ - * Deployment share description: MDT Production - * Options: <default settings> + - Deployment share path: D:\\MDTProduction + - Share name: MDTProduction$ + - Deployment share description: MDT Production + - Options: *\* -2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. +2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**. ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png) @@ -51,16 +52,17 @@ The D:\Logs folder was [created previously](prepare-for-zero-touch-installation- On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using `icacls.exe`, enter the following command at an elevated Windows PowerShell prompt: - ``` - icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' + ```cmd + icacls.exe D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' ``` -2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder. -3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings: +2. Using File Explorer, navigate to the **`D:\Sources\OSD\Settings\Windows 10 x64 Settings`** folder. - ``` +3. To enable server-side logging, edit the `CustomSetting.ini` file with `Notepad.exe` and enter the following settings: + + ```ini [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode @@ -79,12 +81,12 @@ On **CM01**: ![Settings package during deployment.](../images/fig30-settingspack.png) - The Settings package, holding the rules and the Unattend.xml template used during deployment + The Settings package, holding the rules and the `Unattend.xml` template used during deployment -3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. +4. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box. - >[!NOTE] - >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + > [!NOTE] + > Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal @@ -92,9 +94,11 @@ In Configuration Manager, you can distribute all packages needed by a task seque On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. -2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. + +2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. + +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the `distmgr.log` file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -106,20 +110,25 @@ This section provides steps to help you create a deployment for the task sequenc On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**. + 2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and select **Next**. + 3. On the **Deployment Settings** page, use the below settings and then select **Next**: - * Purpose: Available - * Make available to the following: Only media and PXE + - Purpose: Available + - Make available to the following: Only media and PXE ![Configure the deployment settings.](../images/mdt-06-fig33.png) - + Configure the deployment settings 4. On the **Scheduling** page, accept the default settings and select **Next**. + 5. On the **User Experience** page, accept the default settings and select **Next**. + 6. On the **Alerts** page, accept the default settings and select **Next**. + 7. On the **Distribution Points** page, accept the default settings, select **Next** twice, and then select **Close**. ![Task sequence deployed.](../images/fig32-deploywiz.png) @@ -134,20 +143,20 @@ This section provides steps to help you configure the All Unknown Computers coll On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. 2. On the **Collection Variables** tab, create a new variable with the following settings: - * Name: OSDComputerName - * Clear the **Do not display this value in the Configuration Manager console** check box. + - Name: OSDComputerName + - Clear the **Do not display this value in the Configuration Manager console** check box. 3. Select **OK**. - >[!NOTE] - >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. - + > [!NOTE] + > Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. + ![Configure a collection variable.](../images/mdt-06-fig35.png) - + Configure a collection variable Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ce164ba563..2fa98b5ab7 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -14,7 +14,7 @@ ms.date: 10/27/2022 # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -28,18 +28,30 @@ In this article, you'll use [components](#components-of-configuration-manager-op > [!NOTE] > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10). + - The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created. + - Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods). + - IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created. + - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. + - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). -- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + +- The [Windows ADK](/windows-hardware/get-started/adk-install) version that is [supported for the version of Configuration Manager](/mem/configmgr/core/plan-design/configs/support-for-windows-adk) that is installed, including the Windows PE add-on. USMT should be installed as part of the Windows ADK install. + +- [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456 + +- DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. + - The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. + > CMTrace is automatically installed with the current branch of Configuration Manager at **`Program Files\Microsoft Configuration Manager\tools\cmtrace.exe`**. + +For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. -For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. @@ -54,12 +66,12 @@ The following generic credentials are used in this guide. You should replace the - **Active Directory domain name**: `contoso.com` - **Domain administrator username**: `administrator` --**Domain administrator password**: `pass@word1` +- **Domain administrator password**: `pass@word1` ## Create the OU structure ->[!NOTE] ->If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +> [!NOTE] +> If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: @@ -107,25 +119,27 @@ A role-based model is used to configure permissions for the service accounts nee On **DC01**: -1. In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the Service Accounts OU and create the CM\_JD account using the following settings: +1. In the Active Directory Users and Computers console, browse to **contoso.com** > **Contoso** > **Service Accounts**. - * Name: CM\_JD - * User sign-in name: CM\_JD - * Password: `pass@word1` - * User must change password at next logon: Clear - * User can't change password: Selected - * Password never expires: Selected +2. Select the Service Accounts OU and create the CM\_JD account using the following settings: -3. Repeat the step, but for the CM\_NAA account. -4. After creating the accounts, assign the following descriptions: + - Name: CM\_JD + - User sign-in name: CM\_JD + - Password: `pass@word1` + - User must change password at next logon: Clear + - User can't change password: Selected + - Password never expires: Selected - * CM\_JD: Configuration Manager Join Domain Account - * CM\_NAA: Configuration Manager Network Access Account +3. Repeat the step, but for the CM\_NAA account. + +4. After creating the accounts, assign the following descriptions: + + - CM\_JD: Configuration Manager Join Domain Account + - CM\_NAA: Configuration Manager Network Access Account ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to `C:\Setup\Scripts` on DC01. On **DC01**: @@ -139,18 +153,18 @@ On **DC01**: 2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: - * Scope: This object and all descendant objects - * Create Computer objects - * Delete Computer objects - * Scope: Descendant Computer objects - * Read All Properties - * Write All Properties - * Read Permissions - * Modify Permissions - * Change Password - * Reset Password - * Validated write to DNS host name - * Validated write to service principal name + - Scope: This object and all descendant objects + - Create Computer objects + - Delete Computer objects + - Scope: Descendant Computer objects + - Read All Properties + - Write All Properties + - Read Permissions + - Modify Permissions + - Change Password + - Reset Password + - Validated write to DNS host name + - Validated write to service principal name ## Review the Sources folder structure @@ -158,9 +172,6 @@ On **CM01**: To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01): ->[!NOTE] ->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. - - D:\\Sources - D:\\Sources\\OSD - D:\\Sources\\OSD\\Boot @@ -173,11 +184,13 @@ To support the packages you create in this article, the following folder structu - D:\\Sources\\Software - D:\\Sources\\Software\\Adobe - D:\\Sources\\Software\\Microsoft +- D:\\Logs + +> [!NOTE] +> In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server. You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We'll also create the D:\Logs folder here which will be used later to support server-side logging. - ```powershell New-Item -ItemType Directory -Path "D:\Sources" New-Item -ItemType Directory -Path "D:\Sources\OSD" @@ -203,11 +216,13 @@ To extend the Configuration Manager console with MDT wizards and templates, inst On **CM01**: 1. Sign in as contoso\administrator. -2. Ensure the Configuration Manager Console is closed before continuing. -5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings: - * Site Server Name: CM01.contoso.com - * Site code: PS1 +2. Ensure the Configuration Manager Console is closed before continuing. + +3. Select Start, type **Configure ConfigManager Integration**, and run the application with the following settings: + + - Site Server Name: CM01.contoso.com + - Site code: PS1 ![figure 8.](../images/mdt-06-fig08.png) @@ -219,9 +234,11 @@ Most organizations want to display their name during deployment. In this section On **CM01**: -1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**. -2. In the right pane, right-click **Default Client Settings** and then select **Properties**. -3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**. +1. Open the Configuration Manager Console, select the **Administration** workspace, then select **Client Settings**. + +2. In the right pane, right-click **Default Client Settings** and then select **Properties**. + +3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, enter in **Contoso** and select **OK**. ![figure 9.](../images/mdt-06-fig10.png) @@ -237,9 +254,11 @@ Configuration Manager uses the Network Access account during the Windows 10 depl On **CM01**: -1. Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**. -2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. -3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share. +1. Using the Configuration Manager Console, in the **Administration** workspace, expand **Site Configuration** and select **Sites**. + +2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**. + +3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the account **CONTOSO\\CM\_NAA** as the Network Access account (password: **pass@word1**). Use the new **Verify** option to verify that the account can connect to the **`\\DC01\sysvol`** network share. ![figure 11.](../images/mdt-06-fig12.png) @@ -251,36 +270,39 @@ Configuration Manager has many options for starting a deployment, but starting v On **CM01**: -1. In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**. -2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. -3. On the **PXE** tab, use the following settings: +1. In the Configuration Manager Console, in the **Administration** workspace, select **Distribution Points**. - * Enable PXE support for clients - * Allow this distribution point to respond to incoming PXE requests - * Enable unknown computer - * Require a password when computers use PXE - * Password and Confirm password: pass@word1 +2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**. + +3. On the **PXE** tab, use the following settings: + + - Enable PXE support for clients + - Allow this distribution point to respond to incoming PXE requests + - Enable unknown computer + - Require a password when computers use PXE + - Password and Confirm password: pass@word1 ![figure 12.](../images/mdt-06-fig13.png) Configure the CM01 distribution point for PXE. - >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + > [!NOTE] + > If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (**SccmPxe**) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). -4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. +4. Using the CMTrace tool, review the **`C:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file. Look for the **ConfigurePXE** and **CcmInstallPXE** lines. ![figure 13.](../images/mdt-06-fig14.png) - The distmgr.log displays a successful configuration of PXE on the distribution point. + The `distmgr.log` displays a successful configuration of PXE on the distribution point. -5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **`D:\RemoteInstall\SMSBoot\x86`** and **`D:\RemoteInstall\SMSBoot\x64`**. ![figure 14.](../images/mdt-06-fig15.png) The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE. - **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. + > [!NOTE] + > These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder. Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md). @@ -288,15 +310,24 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. -- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. -- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. -- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. -- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. -- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. -- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). -- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. +- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. + +- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. + +- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. + +- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. + +- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. + +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. + +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). + +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. + +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. + > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -304,28 +335,31 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. ->[!NOTE] ->MDT installation requires the following: ->- The Windows ADK for Windows 10 (installed in the previous procedure) ->- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) ->- Microsoft .NET Framework +> [!NOTE] +> MDT installation requires the following: +> +> - The Windows ADK for Windows 10 (installed in the previous procedure) +> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +> - Microsoft .NET Framework ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence processes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the `CustomSettings.ini` file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: -- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. - ``` syntax +- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. + + ```ini [Settings] Priority=Model [HP EliteBook 8570w] Packages001=PS100010:Install HP Hotkeys ``` -- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - ``` syntax +- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. + + ```ini [Settings] Priority= ByLaptopType, ByDesktopType [ByLaptopType] @@ -373,13 +407,17 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op ### Why use MDT Lite Touch to create reference images -You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: +You can create reference images for Configuration Manager in Configuration Manager, but in general it is recommended to create them in MDT Lite Touch for the following reasons: -- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. -- The Configuration Manager task sequence doesn't suppress user interface interaction. -- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. -- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. +- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. + +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. + +- The Configuration Manager task sequence suppresses user interface interaction. + +- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. + +- MDT Lite Touch doesn't require any infrastructure and is easy to delegate. ## Related articles diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 473643d7e9..d87aff2989 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -15,7 +15,7 @@ ms.date: 10/27/2022 # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -23,29 +23,31 @@ This article will show you how to refresh a Windows 7 SP1 client with Windows 10 A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: -1. Data and settings are backed up locally in a backup folder. -2. The partition is wiped, except for the backup folder. -3. The new operating system image is applied. -4. Other applications are installed. -5. Data and settings are restored. +1. Data and settings are backed up locally in a backup folder. +2. The partition is wiped, except for the backup folder. +3. The new operating system image is applied. +4. Other applications are installed. +5. Data and settings are restored. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. ->[!NOTE] ->If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso** > **Computers** > **Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Verify the Configuration Manager client settings @@ -53,8 +55,10 @@ To verify that PC003 is correctly assigned to the PS1 site: On **PC0003**: -1. Open the Configuration Manager control panel (control smscfgrc). +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). + 2. On the **Site** tab, select **Configure Settings**, then select **Find Site**. + 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example. ![Found a site to manage this client.](../images/pc0003a.png) @@ -63,49 +67,49 @@ On **PC0003**: On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: Install Windows 10 Enterprise x64 - * Limited Collection: All Systems - * Membership rules - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0003 - * Select Resources - * Select **PC0003** + - General + - Name: Install Windows 10 Enterprise x64 + - Limited Collection: All Systems + - Membership rules + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0003 + - Select Resources + - Select **PC0003** - Use the default settings to complete the remaining wizard pages and select **Close**. + Use the default settings to complete the remaining wizard pages and select **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. - >[!NOTE] - >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. + > [!NOTE] + > It may take a short while for the collection to refresh; you can view progress via the `Colleval.log` file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings: - General - - Collection: Install Windows 10 Enterprise x64 + - Collection: Install Windows 10 Enterprise x64 - Deployment Settings - - Purpose: Available - - Make available to the following: Configuration Manager clients, media and PXE + - Purpose: Available + - Make available to the following: Configuration Manager clients, media and PXE - >[!NOTE] - >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + > [!NOTE] + > It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - - <default> + - *\* - User Experience - - <default> + - *\* - Alerts - - <default> + - *\* - Distribution Points - - <default> + - *\* ## Initiate a computer refresh @@ -113,12 +117,14 @@ Now you can start the computer refresh on PC0003. On **CM01**: -1. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. +1. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears. On **PC0003**: -1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. -2. In the **Software Center** warning dialog box, select **Install Operating System**. +1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**. + +2. In the **Software Center** warning dialog box, select **Install Operating System**. + 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples: ![Task sequence example 1.](../images/pc0003b.png)
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 45a35d3282..dd75747e26 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -16,7 +16,7 @@ ms.date: 10/27/2022 # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -**Applies to** +*Applies to:* - Windows 10 @@ -26,46 +26,56 @@ In this article, you'll create a backup-only task sequence that you run on PC000 ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. + - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. + - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. ->[!NOTE] ->PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. +> [!NOTE] +> PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ->[!IMPORTANT] ->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. +> [!IMPORTANT] +> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. ## Create a replace task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. + 2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and select **Next**. + 3. On the **General** page, assign the following settings and select **Next**: - * Task sequence name: Replace Task Sequence - * Task sequence comments: USMT backup only + - Task sequence name: Replace Task Sequence + - Task sequence comments: USMT backup only 4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**. + 5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then select **Next**. + 6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then select **Next**. + 7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then select **Next**. + 8. On the **Summary** page, review the details and then select **Next**. + 9. On the **Confirmation** page, select **Finish**. -10. Review the Replace Task Sequence. +10. Review the Replace Task Sequence. - >[!NOTE] - >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. + > [!NOTE] + > This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence. ![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence") @@ -77,70 +87,78 @@ This section walks you through the process of associating a new, blank device (P On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then select **Import Computer Information**. -3. On the **Select Source** page, select **Import single computer** and select **Next**. -4. On the **Single Computer** page, use the following settings and then select **Next**: +1. When you're using the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices**, and then select **Import Computer Information**. - * Computer Name: PC0006 - * MAC Address: <the mac address that you wrote down> - * Source Computer: PC0004 +2. On the **Select Source** page, select **Import single computer** and select **Next**. + +3. On the **Single Computer** page, use the following settings and then select **Next**: + + - Computer Name: PC0006 + - MAC Address: *\ + - Source Computer: PC0004 ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association") Creating the computer association between PC0004 and PC0006. -5. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. -6. On the **Data Preview** page, select **Next**. -7. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. -9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. -11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +4. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**. + +5. On the **Data Preview** page, select **Next**. + +6. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**. + +7. On the **Summary** page, select **Next**, and then select **Close**. + +8. Select the **User State Migration** node and review the computer association in the right hand pane. + +9. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. + +10. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - * General - * Name: USMT Backup (Replace) - * Limited Collection: All Systems - * Membership rules: - * Add Rule: Direct rule - * Resource Class: System Resource - * Attribute Name: Name - * Value: PC0004 - * Select Resources: - * Select **PC0004** + - General + - Name: USMT Backup (Replace) + - Limited Collection: All Systems + - Membership rules: + - Add Rule: Direct rule + - Resource Class: System Resource + - Attribute Name: Name + - Value: PC0004 + - Select Resources: + - Select **PC0004** Use default settings for the remaining wizard pages, then select **Close**. -2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment On **CM01**: -Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: +Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings: -- General - - Collection: USMT Backup (Replace) -- Deployment Settings - - Purpose: Available - - Make available to the following: Only Configuration Manager Clients -- Scheduling - - <default> -- User Experience - - <default> -- Alerts - - <default> -- Distribution Points - - <default> +- General + - Collection: USMT Backup (Replace) +- Deployment Settings + - Purpose: Available + - Make available to the following: Only Configuration Manager Clients +- Scheduling + - *\ +- User Experience + - *\ +- Alerts + - *\ +- Distribution Points + - *\ ## Verify the backup @@ -148,15 +166,17 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (**`control.exe smscfgrc`**). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). -3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. +3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes. ![Task sequence example.](../images/pc0004b.png) @@ -164,11 +184,12 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. +1. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. - >[!NOTE] - >It may take a few minutes for the user state store location to be populated. +2. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. + + > [!NOTE] + > It may take a few minutes for the user state store location to be populated. ## Deploy the new computer @@ -176,16 +197,16 @@ On **PC0006**: 1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings: - * Password: pass@word1 - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM + - Password: pass@word1 + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following steps: +2. The setup now starts and does the following steps: - * Installs the Windows 10 operating system - * Installs the Configuration Manager client - * Joins it to the domain - * Installs the applications - * Restores the PC0004 backup + - Installs the Windows 10 operating system + - Installs the Configuration Manager client + - Joins it to the domain + - Installs the applications + - Restores the PC0004 backup When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index 687b63ad7c..db3236d549 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -15,25 +15,25 @@ ms.date: 10/27/2022 # Perform an in-place upgrade to Windows 10 using Configuration Manager +*Applies to:* -**Applies to** - -- Windows 10 +- Windows 10 The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Configuration Manager task sequence to completely automate the process. ->[!IMPORTANT] ->Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. +> [!IMPORTANT] +> Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. ## Infrastructure -An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). + - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. -All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates. @@ -43,30 +43,40 @@ Configuration Manager Current Branch includes a native in-place upgrade task. Th On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**. + +2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **`\\cm01\Sources$\OSD\UpgradePackages\Windows 10`**. + 3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. + 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then select **Next**. + 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. -6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. -7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. + +6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. + +7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**. + +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the **`D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. +1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**. + 2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and select **Next**. + 3. Use the below settings to complete the wizard: - * Task sequence name: Upgrade Task Sequence - * Description: In-place upgrade - * Upgrade package: Windows 10 x64 RTM - * Include software updates: Don't install any software updates - * Install applications: OSD \ Adobe Acrobat Reader DC + - Task sequence name: Upgrade Task Sequence + - Description: In-place upgrade + - Upgrade package: Windows 10 x64 RTM + - Include software updates: Don't install any software updates + - Install applications: OSD \ Adobe Acrobat Reader DC 4. Complete the wizard, and select **Close**. + 5. Review the Upgrade Task Sequence. ![The upgrade task sequence.](../images/cm-upgrade-ts.png) @@ -79,7 +89,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -91,7 +101,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade @@ -99,15 +109,23 @@ In this section, you create a deployment for the Windows 10 Enterprise x64 Updat On **CM01**: -1. Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. -2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. -3. On the **Content** page, select **Next**. -4. On the **Deployment Settings** page, select **Next**: -5. On the **Scheduling** page, accept the default settings, and then select **Next**. -6. On the **User Experience** page, accept the default settings, and then select **Next**. -7. On the **Alerts** page, accept the default settings, and then select **Next**. -7. On the **Distribution Points** page, accept the default settings, and then select **Next**. -8. On the **Summary** page, select **Next**, and then select **Close**. +1. Using the Configuration Manager console, in the **Software Library** workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**. + +2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**. + +3. On the **Content** page, select **Next**. + +4. On the **Deployment Settings** page, select **Next**: + +5. On the **Scheduling** page, accept the default settings, and then select **Next**. + +6. On the **User Experience** page, accept the default settings, and then select **Next**. + +7. On the **Alerts** page, accept the default settings, and then select **Next**. + +8. On the **Distribution Points** page, accept the default settings, and then select **Next**. + +9. On the **Summary** page, select **Next**, and then select **Close**. ## Start the Windows 10 upgrade @@ -115,15 +133,18 @@ Next, run the in-place upgrade task sequence on PC0004. On **PC0004**: -1. Open the Configuration Manager control panel (control smscfgrc). -2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. +1. Open the Configuration Manager control panel (`control.exe smscfgrc`). - >[!NOTE] - >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). +2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears. -3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. -4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. -5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples: + > [!NOTE] + > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md). + +3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**. + +4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again. + +5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the **Operating System Upgrade Package** (the Windows installation source files), perform an in-place upgrade, and install your added applications. See the following examples: ![Upgrade task sequence example 1.](../images/pc0004-a.png)
![Upgrade task sequence example 2.](../images/pc0004-b.png)
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 52315a8851..14c8c0cf25 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -6,6 +6,7 @@ manager: aaroncz author: frankroj ms.author: frankroj ms.prod: windows-client +ms.technology: itpro-deploy ms.topic: article ms.custom: seo-marvel-apr2020 ms.date: 10/31/2022 diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 4589ac5834..07805dc6fb 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -1,51 +1,67 @@ -- name: Delivery Optimization for Windows client +- name: Delivery Optimization for Windows client and Microsoft Connected Cache href: index.yml +- name: What's new + href: whats-new-do.md items: - - name: Get started - items: - - name: What is Delivery Optimization - href: waas-delivery-optimization.md - - name: What's new - href: whats-new-do.md - - name: Delivery Optimization Frequently Asked Questions - href: waas-delivery-optimization-faq.yml - - - - - name: Configure Delivery Optimization +- name: Delivery Optimization + items: + - name: What is Delivery Optimization + href: waas-delivery-optimization.md + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization for Windows clients + items: + - name: Windows client Delivery Optimization settings + href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings + - name: Configure Delivery Optimization settings using Microsoft Intune + href: /mem/intune/configuration/delivery-optimization-windows + - name: Resources for Delivery Optimization + items: + - name: Set up Delivery Optimization for Windows + href: waas-delivery-optimization-setup.md + - name: Delivery Optimization reference + href: waas-delivery-optimization-reference.md + - name: Delivery Optimization client-service communication + href: delivery-optimization-workflow.md + - name: Using a proxy with Delivery Optimization + href: delivery-optimization-proxy.md +- name: Microsoft Connected Cache + items: + - name: Microsoft Connected Cache overview + href: waas-microsoft-connected-cache.md + - name: MCC for Enterprise and Education items: - - name: Configure Windows Clients - items: - - name: Windows Delivery Optimization settings - href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - - name: Windows Delivery Optimization Frequently Asked Questions - href: ../do/waas-delivery-optimization-faq.yml - - name: Configure Microsoft Intune - items: - - name: Delivery Optimization settings in Microsoft Intune - href: /mem/intune/configuration/delivery-optimization-windows - - - name: Microsoft Connected Cache + - name: Requirements + href: mcc-enterprise-prerequisites.md + - name: Deploy Microsoft Connected Cache + href: mcc-enterprise-deploy.md + - name: Update or uninstall MCC + href: mcc-enterprise-update-uninstall.md + - name: Appendix + href: mcc-enterprise-appendix.md + - name: MCC for ISPs items: - - name: MCC overview - href: waas-microsoft-connected-cache.md - - name: MCC for Enterprise and Education - href: mcc-enterprise.md - - name: MCC for ISPs + - name: How-to guides + items: + - name: Operator sign up and service onboarding + href: mcc-isp-signup.md + - name: Create, provision, and deploy the cache node in Azure portal + href: mcc-isp-create-provision-deploy.md + - name: Verify cache node functionality and monitor health and performance + href: mcc-isp-verify-cache-node.md + - name: Update or uninstall your cache node + href: mcc-isp-update.md + - name: Resources + items: + - name: Frequently Asked Questions + href: mcc-isp-faq.yml + - name: Enhancing VM performance + href: mcc-isp-vm-performance.md + - name: Support and troubleshooting + href: mcc-isp-support.md + - name: MCC for ISPs (early preview) href: mcc-isp.md +- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache + href: delivery-optimization-endpoints.md - - name: Resources - items: - - name: Set up Delivery Optimization for Windows - href: waas-delivery-optimization-setup.md - - name: Delivery Optimization reference - href: waas-delivery-optimization-reference.md - - name: Delivery Optimization client-service communication - href: delivery-optimization-workflow.md - - name: Using a proxy with Delivery Optimization - href: delivery-optimization-proxy.md - - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache - href: delivery-optimization-endpoints.md - - name: Testing Delivery Optimization - href: delivery-optimization-test.md - + diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png new file mode 100644 index 0000000000..ea8db2a08a Binary files /dev/null and b/windows/deployment/do/images/addcachenode.png differ diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md new file mode 100644 index 0000000000..f97aed1785 --- /dev/null +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -0,0 +1,30 @@ +--- +title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI +manager: aaroncz +description: Elixir images read me file +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Read Me + +This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: + +:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors."::: + +:::image type="content" source="ux-check-verbose-1.png" alt-text="A screenshot that all checks passing after the iotedge check command."::: + +:::image type="content" source="ux-connectivity-check.png" alt-text="A screenshot of green checkmarks, showing that all of the connectivity checks are successful."::: + +:::image type="content" source="ux-edge-agent-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', which shows three containers and the edgeAgent container failing."::: + +:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully."::: + +:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state."::: \ No newline at end of file diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png new file mode 100644 index 0000000000..692416d04c Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png new file mode 100644 index 0000000000..5f232fe0c6 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png new file mode 100644 index 0000000000..0e72c45b33 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png new file mode 100644 index 0000000000..1ce0e3e929 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png new file mode 100644 index 0000000000..a26638a119 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png differ diff --git a/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png new file mode 100644 index 0000000000..b82d0e4441 Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png differ diff --git a/windows/deployment/do/images/emcc07.png b/windows/deployment/do/images/emcc07.png deleted file mode 100644 index 21420eab09..0000000000 Binary files a/windows/deployment/do/images/emcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc10.png b/windows/deployment/do/images/emcc10.png deleted file mode 100644 index 77c8754bf5..0000000000 Binary files a/windows/deployment/do/images/emcc10.png and /dev/null differ diff --git a/windows/deployment/do/images/emcc06.png b/windows/deployment/do/images/ent-mcc-azure-cache-created.png similarity index 100% rename from windows/deployment/do/images/emcc06.png rename to windows/deployment/do/images/ent-mcc-azure-cache-created.png diff --git a/windows/deployment/do/images/emcc05.png b/windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png similarity index 100% rename from windows/deployment/do/images/emcc05.png rename to windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png diff --git a/windows/deployment/do/images/emcc04.png b/windows/deployment/do/images/ent-mcc-azure-marketplace.png similarity index 100% rename from windows/deployment/do/images/emcc04.png rename to windows/deployment/do/images/ent-mcc-azure-marketplace.png diff --git a/windows/deployment/do/images/emcc03.png b/windows/deployment/do/images/ent-mcc-azure-search-result.png similarity index 100% rename from windows/deployment/do/images/emcc03.png rename to windows/deployment/do/images/ent-mcc-azure-search-result.png diff --git a/windows/deployment/do/images/emcc08.png b/windows/deployment/do/images/ent-mcc-cache-nodes.png similarity index 100% rename from windows/deployment/do/images/emcc08.png rename to windows/deployment/do/images/ent-mcc-cache-nodes.png diff --git a/windows/deployment/do/images/emcc20.png b/windows/deployment/do/images/ent-mcc-connect-eflowvm.png similarity index 100% rename from windows/deployment/do/images/emcc20.png rename to windows/deployment/do/images/ent-mcc-connect-eflowvm.png diff --git a/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png new file mode 100644 index 0000000000..45cb01de9f Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png differ diff --git a/windows/deployment/do/images/emcc02.png b/windows/deployment/do/images/ent-mcc-create-azure-resource.png similarity index 100% rename from windows/deployment/do/images/emcc02.png rename to windows/deployment/do/images/ent-mcc-create-azure-resource.png diff --git a/windows/deployment/do/images/ent-mcc-create-cache-failed.png b/windows/deployment/do/images/ent-mcc-create-cache-failed.png new file mode 100644 index 0000000000..5c2ac09d56 Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-create-cache-failed.png differ diff --git a/windows/deployment/do/images/emcc09.5.png b/windows/deployment/do/images/ent-mcc-create-cache-node-name.png similarity index 100% rename from windows/deployment/do/images/emcc09.5.png rename to windows/deployment/do/images/ent-mcc-create-cache-node-name.png diff --git a/windows/deployment/do/images/emcc09.png b/windows/deployment/do/images/ent-mcc-create-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc09.png rename to windows/deployment/do/images/ent-mcc-create-cache-node.png diff --git a/windows/deployment/do/images/emcc11.png b/windows/deployment/do/images/ent-mcc-delete-cache-node.png similarity index 100% rename from windows/deployment/do/images/emcc11.png rename to windows/deployment/do/images/ent-mcc-delete-cache-node.png diff --git a/windows/deployment/do/images/emcc29.png b/windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png similarity index 100% rename from windows/deployment/do/images/emcc29.png rename to windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png diff --git a/windows/deployment/do/images/emcc12.png b/windows/deployment/do/images/ent-mcc-download-installer.png similarity index 100% rename from windows/deployment/do/images/emcc12.png rename to windows/deployment/do/images/ent-mcc-download-installer.png diff --git a/windows/deployment/do/images/emcc28.png b/windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png similarity index 100% rename from windows/deployment/do/images/emcc28.png rename to windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png diff --git a/windows/deployment/do/images/emcc26.png b/windows/deployment/do/images/ent-mcc-group-policy-hostname.png similarity index 100% rename from windows/deployment/do/images/emcc26.png rename to windows/deployment/do/images/ent-mcc-group-policy-hostname.png diff --git a/windows/deployment/do/images/emcc13.png b/windows/deployment/do/images/ent-mcc-installer-script.png similarity index 100% rename from windows/deployment/do/images/emcc13.png rename to windows/deployment/do/images/ent-mcc-installer-script.png diff --git a/windows/deployment/do/images/emcc23.png b/windows/deployment/do/images/ent-mcc-intune-do.png similarity index 100% rename from windows/deployment/do/images/emcc23.png rename to windows/deployment/do/images/ent-mcc-intune-do.png diff --git a/windows/deployment/do/images/emcc24.png b/windows/deployment/do/images/ent-mcc-iotedge-list.png similarity index 100% rename from windows/deployment/do/images/emcc24.png rename to windows/deployment/do/images/ent-mcc-iotedge-list.png diff --git a/windows/deployment/do/images/emcc25.png b/windows/deployment/do/images/ent-mcc-journalctl.png similarity index 100% rename from windows/deployment/do/images/emcc25.png rename to windows/deployment/do/images/ent-mcc-journalctl.png diff --git a/windows/deployment/do/images/emcc01.png b/windows/deployment/do/images/ent-mcc-overview.png similarity index 100% rename from windows/deployment/do/images/emcc01.png rename to windows/deployment/do/images/ent-mcc-overview.png diff --git a/windows/deployment/do/images/emcc19.png b/windows/deployment/do/images/ent-mcc-script-complete.png similarity index 100% rename from windows/deployment/do/images/emcc19.png rename to windows/deployment/do/images/ent-mcc-script-complete.png diff --git a/windows/deployment/do/images/emcc17.png b/windows/deployment/do/images/ent-mcc-script-device-code.png similarity index 100% rename from windows/deployment/do/images/emcc17.png rename to windows/deployment/do/images/ent-mcc-script-device-code.png diff --git a/windows/deployment/do/images/emcc16.png b/windows/deployment/do/images/ent-mcc-script-dynamic-address.png similarity index 100% rename from windows/deployment/do/images/emcc16.png rename to windows/deployment/do/images/ent-mcc-script-dynamic-address.png diff --git a/windows/deployment/do/images/emcc15.png b/windows/deployment/do/images/ent-mcc-script-existing-switch.png similarity index 100% rename from windows/deployment/do/images/emcc15.png rename to windows/deployment/do/images/ent-mcc-script-existing-switch.png diff --git a/windows/deployment/do/images/emcc14.png b/windows/deployment/do/images/ent-mcc-script-new-switch.png similarity index 100% rename from windows/deployment/do/images/emcc14.png rename to windows/deployment/do/images/ent-mcc-script-new-switch.png diff --git a/windows/deployment/do/images/emcc18.png b/windows/deployment/do/images/ent-mcc-script-select-hub.png similarity index 100% rename from windows/deployment/do/images/emcc18.png rename to windows/deployment/do/images/ent-mcc-script-select-hub.png diff --git a/windows/deployment/do/images/emcc27.png b/windows/deployment/do/images/ent-mcc-store-example-download.png similarity index 100% rename from windows/deployment/do/images/emcc27.png rename to windows/deployment/do/images/ent-mcc-store-example-download.png diff --git a/windows/deployment/do/images/emcc22.png b/windows/deployment/do/images/ent-mcc-verify-server-powershell.png similarity index 100% rename from windows/deployment/do/images/emcc22.png rename to windows/deployment/do/images/ent-mcc-verify-server-powershell.png diff --git a/windows/deployment/do/images/emcc21.png b/windows/deployment/do/images/ent-mcc-verify-server-ssh.png similarity index 100% rename from windows/deployment/do/images/emcc21.png rename to windows/deployment/do/images/ent-mcc-verify-server-ssh.png diff --git a/windows/deployment/do/images/imcc07.png b/windows/deployment/do/images/imcc07.png deleted file mode 100644 index 31668ba8a1..0000000000 Binary files a/windows/deployment/do/images/imcc07.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc21.png b/windows/deployment/do/images/imcc21.png deleted file mode 100644 index 5bd68d66c5..0000000000 Binary files a/windows/deployment/do/images/imcc21.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc48.png b/windows/deployment/do/images/imcc48.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc48.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc49.png b/windows/deployment/do/images/imcc49.png deleted file mode 100644 index eb53b7a5be..0000000000 Binary files a/windows/deployment/do/images/imcc49.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc53.png b/windows/deployment/do/images/imcc53.png deleted file mode 100644 index ddec14d717..0000000000 Binary files a/windows/deployment/do/images/imcc53.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png deleted file mode 100644 index c40ab0c5c9..0000000000 Binary files a/windows/deployment/do/images/imcc54.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc24.png b/windows/deployment/do/images/mcc-isp-bash-allocate-space.png similarity index 100% rename from windows/deployment/do/images/imcc24.png rename to windows/deployment/do/images/mcc-isp-bash-allocate-space.png diff --git a/windows/deployment/do/images/imcc23.png b/windows/deployment/do/images/mcc-isp-bash-datadrive.png similarity index 100% rename from windows/deployment/do/images/imcc23.png rename to windows/deployment/do/images/mcc-isp-bash-datadrive.png diff --git a/windows/deployment/do/images/imcc20.png b/windows/deployment/do/images/mcc-isp-bash-device-code.png similarity index 100% rename from windows/deployment/do/images/imcc20.png rename to windows/deployment/do/images/mcc-isp-bash-device-code.png diff --git a/windows/deployment/do/images/imcc22.png b/windows/deployment/do/images/mcc-isp-bash-drive-number.png similarity index 100% rename from windows/deployment/do/images/imcc22.png rename to windows/deployment/do/images/mcc-isp-bash-drive-number.png diff --git a/windows/deployment/do/images/imcc25.png b/windows/deployment/do/images/mcc-isp-bash-iot-prompt.png similarity index 100% rename from windows/deployment/do/images/imcc25.png rename to windows/deployment/do/images/mcc-isp-bash-iot-prompt.png diff --git a/windows/deployment/do/images/imcc08.png b/windows/deployment/do/images/mcc-isp-cache-nodes-option.png similarity index 100% rename from windows/deployment/do/images/imcc08.png rename to windows/deployment/do/images/mcc-isp-cache-nodes-option.png diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/mcc-isp-copy-install-script.png similarity index 100% rename from windows/deployment/do/images/imcc19.png rename to windows/deployment/do/images/mcc-isp-copy-install-script.png diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/mcc-isp-create-cache-node-fields.png similarity index 100% rename from windows/deployment/do/images/imcc10.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-fields.png diff --git a/windows/deployment/do/images/imcc09.png b/windows/deployment/do/images/mcc-isp-create-cache-node-option.png similarity index 100% rename from windows/deployment/do/images/imcc09.png rename to windows/deployment/do/images/mcc-isp-create-cache-node-option.png diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/mcc-isp-create-new-node.png similarity index 100% rename from windows/deployment/do/images/imcc12.png rename to windows/deployment/do/images/mcc-isp-create-new-node.png diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/mcc-isp-create-node-form.png similarity index 100% rename from windows/deployment/do/images/imcc13.png rename to windows/deployment/do/images/mcc-isp-create-node-form.png diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/mcc-isp-create-resource.png similarity index 100% rename from windows/deployment/do/images/imcc02.png rename to windows/deployment/do/images/mcc-isp-create-resource.png diff --git a/windows/deployment/do/images/imcc04.png b/windows/deployment/do/images/mcc-isp-create.png similarity index 100% rename from windows/deployment/do/images/imcc04.png rename to windows/deployment/do/images/mcc-isp-create.png diff --git a/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png new file mode 100644 index 0000000000..17fb6a18f1 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc06.png b/windows/deployment/do/images/mcc-isp-deployment-complete.png similarity index 100% rename from windows/deployment/do/images/imcc06.png rename to windows/deployment/do/images/mcc-isp-deployment-complete.png diff --git a/windows/deployment/do/images/imcc01.png b/windows/deployment/do/images/mcc-isp-diagram.png similarity index 100% rename from windows/deployment/do/images/imcc01.png rename to windows/deployment/do/images/mcc-isp-diagram.png diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/mcc-isp-edge-journalctl.png similarity index 100% rename from windows/deployment/do/images/imcc27.png rename to windows/deployment/do/images/mcc-isp-edge-journalctl.png diff --git a/windows/deployment/do/images/imcc42.png b/windows/deployment/do/images/mcc-isp-gnu-grub.png similarity index 100% rename from windows/deployment/do/images/imcc42.png rename to windows/deployment/do/images/mcc-isp-gnu-grub.png diff --git a/windows/deployment/do/images/imcc31.png b/windows/deployment/do/images/mcc-isp-hyper-v-begin.png similarity index 100% rename from windows/deployment/do/images/imcc31.png rename to windows/deployment/do/images/mcc-isp-hyper-v-begin.png diff --git a/windows/deployment/do/images/imcc36.png b/windows/deployment/do/images/mcc-isp-hyper-v-disk.png similarity index 100% rename from windows/deployment/do/images/imcc36.png rename to windows/deployment/do/images/mcc-isp-hyper-v-disk.png diff --git a/windows/deployment/do/images/imcc33.png b/windows/deployment/do/images/mcc-isp-hyper-v-generation.png similarity index 100% rename from windows/deployment/do/images/imcc33.png rename to windows/deployment/do/images/mcc-isp-hyper-v-generation.png diff --git a/windows/deployment/do/images/imcc37.png b/windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png similarity index 100% rename from windows/deployment/do/images/imcc37.png rename to windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png diff --git a/windows/deployment/do/images/imcc34.png b/windows/deployment/do/images/mcc-isp-hyper-v-memory.png similarity index 100% rename from windows/deployment/do/images/imcc34.png rename to windows/deployment/do/images/mcc-isp-hyper-v-memory.png diff --git a/windows/deployment/do/images/imcc32.png b/windows/deployment/do/images/mcc-isp-hyper-v-name.png similarity index 100% rename from windows/deployment/do/images/imcc32.png rename to windows/deployment/do/images/mcc-isp-hyper-v-name.png diff --git a/windows/deployment/do/images/imcc35.png b/windows/deployment/do/images/mcc-isp-hyper-v-networking.png similarity index 100% rename from windows/deployment/do/images/imcc35.png rename to windows/deployment/do/images/mcc-isp-hyper-v-networking.png diff --git a/windows/deployment/do/images/imcc38.png b/windows/deployment/do/images/mcc-isp-hyper-v-summary.png similarity index 100% rename from windows/deployment/do/images/imcc38.png rename to windows/deployment/do/images/mcc-isp-hyper-v-summary.png diff --git a/windows/deployment/do/images/imcc41.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png similarity index 100% rename from windows/deployment/do/images/imcc41.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png diff --git a/windows/deployment/do/images/imcc40.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png similarity index 100% rename from windows/deployment/do/images/imcc40.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png diff --git a/windows/deployment/do/images/imcc39.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png similarity index 100% rename from windows/deployment/do/images/imcc39.png rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/mcc-isp-installer-download.png similarity index 100% rename from windows/deployment/do/images/imcc18.png rename to windows/deployment/do/images/mcc-isp-installer-download.png diff --git a/windows/deployment/do/images/imcc16.png b/windows/deployment/do/images/mcc-isp-list-nodes.png similarity index 100% rename from windows/deployment/do/images/imcc16.png rename to windows/deployment/do/images/mcc-isp-list-nodes.png diff --git a/windows/deployment/do/images/imcc05.png b/windows/deployment/do/images/mcc-isp-location-west.png similarity index 100% rename from windows/deployment/do/images/imcc05.png rename to windows/deployment/do/images/mcc-isp-location-west.png diff --git a/windows/deployment/do/images/mcc-isp-metrics.png b/windows/deployment/do/images/mcc-isp-metrics.png new file mode 100644 index 0000000000..1ca9078f3e Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-metrics.png differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/mcc-isp-nmcli.png similarity index 100% rename from windows/deployment/do/images/imcc30.png rename to windows/deployment/do/images/mcc-isp-nmcli.png diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/mcc-isp-node-configuration.png similarity index 100% rename from windows/deployment/do/images/imcc17.png rename to windows/deployment/do/images/mcc-isp-node-configuration.png diff --git a/windows/deployment/do/images/imcc15.png b/windows/deployment/do/images/mcc-isp-node-names.png similarity index 100% rename from windows/deployment/do/images/imcc15.png rename to windows/deployment/do/images/mcc-isp-node-names.png diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/mcc-isp-node-server-ip.png similarity index 100% rename from windows/deployment/do/images/imcc11.png rename to windows/deployment/do/images/mcc-isp-node-server-ip.png diff --git a/windows/deployment/do/images/mcc-isp-operator-verification.png b/windows/deployment/do/images/mcc-isp-operator-verification.png new file mode 100644 index 0000000000..3641761e0a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-operator-verification.png differ diff --git a/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png new file mode 100644 index 0000000000..e61bb78fc4 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/mcc-isp-running-containers.png similarity index 100% rename from windows/deployment/do/images/imcc26.png rename to windows/deployment/do/images/mcc-isp-running-containers.png diff --git a/windows/deployment/do/images/imcc03.png b/windows/deployment/do/images/mcc-isp-search-marketplace.png similarity index 100% rename from windows/deployment/do/images/imcc03.png rename to windows/deployment/do/images/mcc-isp-search-marketplace.png diff --git a/windows/deployment/do/images/mcc-isp-search.png b/windows/deployment/do/images/mcc-isp-search.png new file mode 100644 index 0000000000..4ab4f0b0d6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-search.png differ diff --git a/windows/deployment/do/images/mcc-isp-sign-up.png b/windows/deployment/do/images/mcc-isp-sign-up.png new file mode 100644 index 0000000000..0bc62894c6 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-sign-up.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/mcc-isp-success-instructions.png similarity index 100% rename from windows/deployment/do/images/imcc14.png rename to windows/deployment/do/images/mcc-isp-success-instructions.png diff --git a/windows/deployment/do/images/imcc45.png b/windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png similarity index 100% rename from windows/deployment/do/images/imcc45.png rename to windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png diff --git a/windows/deployment/do/images/imcc44.png b/windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png similarity index 100% rename from windows/deployment/do/images/imcc44.png rename to windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png diff --git a/windows/deployment/do/images/imcc43.png b/windows/deployment/do/images/mcc-isp-ubuntu-language.png similarity index 100% rename from windows/deployment/do/images/imcc43.png rename to windows/deployment/do/images/mcc-isp-ubuntu-language.png diff --git a/windows/deployment/do/images/imcc51.png b/windows/deployment/do/images/mcc-isp-ubuntu-restart.png similarity index 100% rename from windows/deployment/do/images/imcc51.png rename to windows/deployment/do/images/mcc-isp-ubuntu-restart.png diff --git a/windows/deployment/do/images/imcc47.png b/windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png similarity index 100% rename from windows/deployment/do/images/imcc47.png rename to windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png diff --git a/windows/deployment/do/images/imcc52.png b/windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png similarity index 100% rename from windows/deployment/do/images/imcc52.png rename to windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png diff --git a/windows/deployment/do/images/imcc50.png b/windows/deployment/do/images/mcc-isp-ubuntu-who.png similarity index 100% rename from windows/deployment/do/images/imcc50.png rename to windows/deployment/do/images/mcc-isp-ubuntu-who.png diff --git a/windows/deployment/do/images/imcc46.png b/windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png similarity index 100% rename from windows/deployment/do/images/imcc46.png rename to windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/mcc-isp-use-bgp.png similarity index 100% rename from windows/deployment/do/images/imcc55.PNG rename to windows/deployment/do/images/mcc-isp-use-bgp.png diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/mcc-isp-wget.png similarity index 100% rename from windows/deployment/do/images/imcc28.png rename to windows/deployment/do/images/mcc-isp-wget.png diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md new file mode 100644 index 0000000000..114671fd5e --- /dev/null +++ b/windows/deployment/do/includes/get-azure-subscription.md @@ -0,0 +1,17 @@ +--- +author: amymzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.localizationpriority: medium +--- + + +1. Sign in to the [Azure portal](https://portal.azure.com). +1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input. +1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. +1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. +1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. +1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. \ No newline at end of file diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md new file mode 100644 index 0000000000..f90bc995e6 --- /dev/null +++ b/windows/deployment/do/includes/mcc-prerequisites.md @@ -0,0 +1,17 @@ +--- +author: amyzhou +ms.author: amyzhou +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 11/09/2022 +ms.localizationpriority: medium +--- + + +Peak Egress | Hardware Specifications| +---|---| +< 5G Peak | VM with 8 cores, 16 GB memory, 1 SSD Drive 500GB| +10 - 20G Peak | VM with 16 cores, 32 GB memory, 2 - 3 SSD Drives 1 TB| +20 - 40G Peak | Hardware (sample hardware spec) with 32 cores, 64 GB memory, 4 - 6 SSDs 1 TB | \ No newline at end of file diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c9373755d6..654cd9f309 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro metadata: title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-updates ms.collection: - - windows-10 - highpri author: aczechowski ms.author: aaroncz @@ -69,8 +67,8 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for Enterprise and Education (Private Preview) - url: mcc-enterprise.md + - text: MCC for Enterprise and Education (early preview) + url: waas-microsoft-connected-cache.md - text: Sign up url: https://aka.ms/MSConnectedCacheSignup @@ -79,10 +77,13 @@ landingContent: linkLists: - linkListType: deploy links: - - text: MCC for ISPs (Private Preview) - url: mcc-isp.md + - text: MCC for ISPs (public preview) + url: mcc-isp-signup.md - text: Sign up - url: https://aka.ms/MSConnectedCacheSignup + url: https://aka.ms/MCCForISPSurvey + - text: MCC for ISPs (early preview) + url: mcc-isp.md + # Card (optional) - title: Resources diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md new file mode 100644 index 0000000000..83d2df61da --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -0,0 +1,117 @@ +--- +title: Appendix +manager: aaroncz +description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.author: amyzhou +ms.localizationpriority: medium +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Appendix + +## Diagnostics Script + +If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug. + +To run this script: + +1. Navigate to the following folder in the MCC installation files: + + mccinstaller > Eflow > Diagnostics + +1. Run the following commands: + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + .\collectMccDiagnostics.ps1 + ``` + +1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\**\mccdiagnostics\support_bundle_\$timestamp.tar.gz + +1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. + +## Steps to obtain an Azure Subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Troubleshooting + +If you're not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). + +Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). + +## IoT Edge runtime + +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. +The runtime sits on the IoT Edge device, and performs management and +communication operations. The runtime performs several functions: + +- Installs and update workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Ensures that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. + +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). + +## EFLOW + +- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) +- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) +- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) +- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) +- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) + +## Routing local Windows Clients to an MCC + +### Get the IP address of your MCC using ifconfig + +There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. + +#### Registry Key + +You can either set your MCC IP address or FQDN using: + +1. Registry Key (version 1709 and later): + `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization` +
+ "DOCacheHost"=" " + + From an elevated command prompt: + + ``` + reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f + ``` + +1. MDM Path (version 1809 and later): + + `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` + +1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`. + + :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: + + +**Verify Content using the DO Client** + +To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: + +1. Download a game or application from the Microsoft Store. + + :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected."::: + + +1. Verify downloads came from MCC by one of two methods: + + - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*. + + :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png"::: + + - Using the Delivery Optimization Activity Monitor + + :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor."::: + diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md new file mode 100644 index 0000000000..74ef198811 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -0,0 +1,325 @@ +--- +title: Deploying your cache node +manager: dougeby +description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploying your cache node + +**Applies to** + +- Windows 10 +- Windows 11 + +## Steps to deploy MCC + +To deploy MCC to your server: + +1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) +1. [Create an MCC Node](#create-an-mcc-node-in-azure) +1. [Edit Cache Node Information](#edit-cache-node-information) +1. [Install MCC on a physical server or VM](#install-mcc-on-windows) +1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) +1. [Review common Issues](#common-issues) if needed. + +For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) + +### Provide Microsoft with the Azure Subscription ID + +As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. + +> [!IMPORTANT] +> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. + +For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). + +### Create the MCC resource in Azure + +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. + +Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. + +1. In the Azure portal home page, choose **Create a resource**: + :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red."::: + +1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. + + > [!NOTE] + > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result. + +1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource. + + :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache."::: + :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace."::: + +1. Fill in the required fields to create the MCC resource. + + - Choose the subscription that you provided to Microsoft. + - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. + - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. + + > [!IMPORTANT] + > Your MCC resource will not be created properly if you do not select **(US) West US** + + - Choose a name for the MCC resource. + - Your MCC resource must not contain the word **Microsoft** in it. + + :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace."::: + +1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the + resource creation. + + :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png"::: + +#### Error: Validation failed + +- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. + - To resolve this error, go to the previous step and choose **(US) West US**. + + :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location."::: + +### Create an MCC node in Azure + +Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal. + +1. After the successful resource creation, select **Go to resource**. +1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**. + + :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red."::: + +1. On the **Cache Nodes** blade, select the **Create Cache Node** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red."::: + +1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. + + | **Field Name**| **Expected Value**|**Description** | + |---|---|---| + | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. | + +1. Enter the information for the **Cache Node** and select the **Create** button. + + :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process."::: + +If there are errors, the form will provide guidance on how to correct the errors. + +Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. + +:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script."::: + +#### Edit cache node information + +Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node. + +:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page."::: + +### Install MCC on Windows + +Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: + +- Installs the Azure CLI +- Downloads, installs, and deploys EFLOW +- Enables Microsoft Update so EFLOW can stay up to date +- Creates a virtual machine +- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. +- Configures Connected Cache tuning settings. +- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. +- Deploys the MCC container to server. + +#### Run the installer + +1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files. + + :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page."::: + + The following files are contained in the `mccinstaller.zip` file: + + - **installmcc.ps1**: Main installer file. + - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. + - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. + - **mccupdate.json**: Used as part of the update script + +1. Open Windows PowerShell as administrator then navigate to the location of these files. + + > [!NOTE] + > Ensure that Hyper-V is enabled on your device. + > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)' + > + > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. + +#### If you're installing MCC on a local virtual machine + +1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing. + 1. Enable nested virtualization: + + ```powershell + Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true + ``` + + 1. Enable MAC spoofing: + + ```powershell + Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On + ``` + +1. Set the execution policy. + + ```powershell + Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process + ``` + + > [!NOTE] + > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. + +1. Copy the command from the Azure portal and run it in Windows PowerShell. + + :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node."::: + + > [!NOTE] + > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed. + >
+ >
Security warning + >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1? + >
+ >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): + +1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. + + > [!NOTE] + > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. + + If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. + + :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png"::: + +1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. + + :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png"::: + +1. Decide whether you would like to use dynamic or static address for the Eflow VM + + :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png"::: + + > [!NOTE] + > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts. + +1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts. + +1. Follow the Azure Device Login link and sign into the Azure portal. + + :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png"::: + +1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. + + 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + + :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: + :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: + + +1. Your MCC deployment is now complete. + + 1. If you don't see any errors, continue to the next section to validate your MCC deployment. + 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. + 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article. + +## Verify proper functioning MCC server + +#### Verify Client Side + +Connect to the EFLOW VM and check if MCC is properly running: + +1. Open PowerShell as an Administrator. +2. Enter the following commands: + + ```powershell + Connect-EflowVm + sudo -s + iotedge list + ``` + + :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png"::: + +You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. + +#### Verify server side + +For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. + +```powershell +wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] +``` + +A successful test result will display a status code of 200 along with additional information. + +:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png"::: + + :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png"::: + +Similarly, enter the following URL from a browser in the network: + +`http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com` + +If the test fails, see the [common issues](#common-issues) section for more information. + +### Intune (or other management software) configuration for MCC + +For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN: + +:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names."::: + +## Common Issues + +#### PowerShell issues + +If you're seeing errors similar to this error: `The term Get- isn't recognized as the name of a cmdlet, function, script file, or operable program.` + +1. Ensure you're running Windows PowerShell version 5.x. + +1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*. + +1. Ensure you have Hyper-V enabled: + + **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) + + **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) + +#### Verify Running MCC Container + +Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: + +```bash +Connect-EflowVm +sudo iotedge list +``` + +:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: + +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: + +```bash +sudo journalctl -u iotedge -f +``` + +For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. + +:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: + +Use this command to check the IoT Edge Journal + +```bash +sudo journalctl -u iotedge -f +``` + +> [!NOTE] +> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md new file mode 100644 index 0000000000..705448742b --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -0,0 +1,53 @@ +--- +title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education +manager: dougeby +description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview) + +**Applies to** + +- Windows 10 +- Windows 11 + +## Enterprise requirements for MCC + +1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. + + Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + + The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. + +2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + + **EFLOW Requires Hyper-V support** + - On Windows client, enable the Hyper-V feature + - On Windows Server, install the Hyper-V role and create a default network switch + + Disk recommendations: + - Using an SSD is recommended as cache read speed of SSD is superior to HDD + + NIC requirements: + - Multiple NICs on a single MCC instance aren't supported. + - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. + - For best performance, NIC and BIOS should support SR-IOV + + VM networking: + - An external virtual switch to support outbound and inbound network communication (created during the installation process) + +## Sizing recommendations + +| Component | Branch Office / Small Enterprise | Large Enterprise | +| -- | --- | --- | +| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | +|NIC | 1 Gbps | 5 Gbps | +|Disk | SSD
1 drive
50 GB each |SSD
1 drive
200 GB each | +|Memory | 4 GB | 8 GB | +|Cores | 4 | 8 | diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md new file mode 100644 index 0000000000..60d0df68e3 --- /dev/null +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -0,0 +1,45 @@ +--- +title: Update or uninstall Microsoft Connected Cache for Enterprise and Education +manager: dougeby +description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. +ms.prod: w10 +author: amymzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- +# Update or uninstall Microsoft Connected Cache for Enterprise and Education + +Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update. + +## Update MCC + +Run the following command with the **arguments** we provided in the email to update your MCC: + +```powershell +# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" +``` + +For example: + +```powershell +# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a" +``` + +## Uninstall MCC + +Please contact the MCC Team before uninstalling to let us know if you're facing issues. + +This script will remove the following items: + +1. EFLOW + Linux VM +1. IoT Edge +1. Edge Agent +1. Edge Hub +1. MCC +1. Moby CLI +1. Moby Engine + +To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT +Edge LTS \> Uninstall diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md deleted file mode 100644 index 2063ed9e6c..0000000000 --- a/windows/deployment/do/mcc-enterprise.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -title: Microsoft Connected Cache for Enterprise and Education (private preview) -manager: dougeby -description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: windows-client -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.technology: itpro-updates ---- - -# Microsoft Connected Cache for Enterprise and Education (private preview) - -**Applies to** - -- Windows 10 -- Windows 11 - -## Overview - -> [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). - -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/). - -MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. - -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: - -1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. - -To deploy a functional MCC to your device, you must obtain the necessary keys that will provision the Connected Cache instance to communicate with Delivery Optimization services and enable the device to cache and deliver content. See [figure 1](#fig1) below for a summary of the architecture of MCC, built using IoT Edge. - -For more information about Azure IoT Edge, see [What is Azure IoT Edge](/azure/iot-edge/about-iot-edge). - -## How MCC works - -The following steps describe how MCC is provisioned and used. - -1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to a server using the installer provided in the portal. -3. Client policy is configured in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers content to the client. -6. Subsequent requests from end-user devices for content come from the cache. - -If an MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. - - - -![eMCC img01](images/emcc01.png) - -Figure 1: **MCC processes**. Each number in the diagram corresponds to the steps described above. - - -## Enterprise requirements for MCC - -1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services. - - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you do not have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). - - The resources used for the preview and in the future when this product is ready for production will be completely free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. - - **EFLOW Requires Hyper-V support** - - On Windows client, enable the Hyper-V feature - - On Windows Server, install the Hyper-V role and create a default network switch - - Disk recommendations: - - Using an SSD is recommended as cache read speed of SSD is superior to HDD - - NIC requirements: - - Multiple NICs on a single MCC instance aren't supported. - - 1 Gbps NIC is the minimum speed recommended but any NIC is supported. - - For best performance, NIC and BIOS should support SR-IOV - - VM networking: - - An external virtual switch to support outbound and inbound network communication (created during the installation process) - -### Sizing recommendations - -| Component | Branch Office / Small Enterprise | Large Enterprise | -| -- | --- | --- | -| OS| Windows Server 2019*/2022
Windows 10*/11 (Pro or Enterprise) with Hyper-V Support

* Windows 10 and Windows Server 2019 build 17763 or later | Same | -|NIC | 1 Gbps | 5 Gbps | -|Disk | SSD
1 drive
50GB each |SSD
1 drive
200GB each | -|Memory | 4GB | 8GB | -|Cores | 4 | 8 | - -## Steps to deploy MCC - -To deploy MCC to your server: - -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) -2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure) -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Install MCC on a physical server or VM](#install-mcc-on-windows) -6. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -7. [Review common Issues](#common-issues) if needed. - -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) - -### Provide Microsoft with the Azure Subscription ID - -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. - -> [!IMPORTANT] -> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). - -### Create the MCC resource in Azure - -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. - -Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. - -1. On the Azure portal home page, choose **Create a resource**: - ![eMCC img02](images/emcc02.png) - -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. - -> [!NOTE] -> You'll not see Microsoft Connected Cache in the drop-down list. You need to type it and press enter to see the result. - -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. - - ![eMCC img03](images/emcc03.png) - ![eMCC img04](images/emcc04.png) - -4. Fill in the required fields to create the MCC resource. - - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US** for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. - - > [!NOTE] - > Your MCC resource will not be created properly if you do not select **(US) West US** - - - Choose a name for the MCC resource. - - > [!NOTE] - > Your MCC resource must not contain the word **Microsoft** in it. - - ![eMCC img05](images/emcc05.png) - -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. - - ![eMCC img06](images/emcc06.png) - -#### Error: Validation failed - -- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. - - ![eMCC img07](images/emcc07.png) - -### Create an MCC node in Azure - -Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal. - -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. - - ![eMCC img08](images/emcc08.png) - -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. - - ![eMCC img09](images/emcc09.png) - -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. - -| **Field Name** | **Expected Value** | **Description** | -|---------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and cannot be changed later. | - -5. Enter the information for the **Cache Node** and click the **Create** button. - -![eMCC img9.5](images/emcc09.5.png) - -If there are errors, the form will provide guidance on how to correct the errors. - -Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section. - -![eMCC img10](images/emcc10.png) - -#### Edit cache node information - -Cache nodes can be deleted here by clicking the check box to the left of a **Cache Node Name** and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. - -![eMCC img11](images/emcc11.png) - -### Install MCC on Windows - -Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks: - - - Installs the Azure CLI - - Downloads, installs, and deploys EFLOW - - Enables Microsoft Update so EFLOW can stay up to date - - Creates a virtual machine - - Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications. - - Configures Connected Cache tuning settings. - - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. - - Deploys the MCC container to server. - -#### Run the installer - -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. - - ![eMCC img12](images/emcc12.png) - -Files contained in the mccinstaller.zip file: - - - **installmcc.ps1**: Main installer file. - - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance. - - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes. - - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version. - - **mccupdate.json**: Used as part of the update script - -1. Open Windows PowerShell as administrator and navigate to the location of these files. - -> [!NOTE] -> Ensure that Hyper-V is enabled on your device. -> Do not use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported. - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### If you're installing MCC on a local virtual machine: - -1. Enable Nested Virtualization - - ```powershell - Set-VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true - ``` -2. Enable Mac Spoofing - ```powershell - Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On - ``` - **Virtual machine should be in the OFF state while enabling Nested Virtualization and Mac Spoofing** - -3. Set the execution policy - - ```powershell - Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process - ``` - > [!NOTE] - > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**. - -4. Copy the command from the portal and run it in Windows PowerShell - - ![eMCC img13](images/emcc13.png) - - > [!NOTE] - > After running the command, and multiple times throughout the installation process, you'll receive the following notice. **Please select [R] Run once to proceed**. - >
- >
Security warning - >
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\Users\\mccinstaller\\Eflow\\installmcc.ps1? - >
- >
[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"): - -3. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch. - - > [!NOTE] - > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted. - - If you restarted your computer after creating a switch, start from Step 2 above and skip step 5. - - ![eMCC img14](images/emcc14.png) - -4. Re-run the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created. - - ![eMCC img15](images/emcc15.png) - -5. Decide whether you would like to use dynamic or static address for the Eflow VM - - ![eMCC img16](images/emcc16.png) - - > [!NOTE] - > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. - >
A static IP address is recommended so you do not have to change this value in your management solution when MCC restarts. - -6. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts. - -7. Follow the Azure Device Login link and sign into the Azure portal. - - ![eMCC img17](images/emcc17.png) - -8. If this is your first MCC deployment, please select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription; Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter “1”** - - ![eMCC img18](images/emcc18.png) - ![eMCC img19](images/emcc19.png) - -9. Your MCC deployment is now complete. - - 1. If you do not see any errors, please continue to the next section to validate your MCC deployment. - 2. After validating your MCC is properly functional, please review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC. - 3. If you had errors during your deployment, see the [Troubleshooting](#troubleshooting) section in this article. - -### Verify proper functioning MCC server - -#### Verify Client Side - -Connect to the EFLOW VM and check if MCC is properly running: - -1. Open PowerShell as an Administrator -2. Enter the following commands: - -```powershell -Connect-EflowVm -sudo -s -iotedge list -``` - -![eMCC img20](images/emcc20.png) - -You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, please try this command in a few minutes. The MCC container can take a few minutes to deploy - -#### Verify server side - -For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server. - -```powershell -wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com] -``` - -A successful test result will look like this: - -![eMCC img21](images/emcc21.png) - -OR - -![eMCC img22](images/emcc22.png) - -Similarly, enter this URL from a browser in the network: - -[http://YourCacheServerIP/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]() - -If the test fails, see the common issues section for more information. - -### Intune (or other management software) configuration for MCC - -For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN: - -![eMCC img23](images/emcc23.png) - -### Common Issues - -#### PowerShell issues - -If you're seeing errors similar to this: “The term ‘Get-Something’ isn't recognized as the name of a cmdlet, function, script file, or operable program.” - -1. Ensure you're running Windows PowerShell version 5.x. - -2. Run \$PSVersionTable and ensure you’re running version 5.x and *not version 6 or 7*. - -3. Ensure you have Hyper-V enabled: - - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v) - - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server) - -#### Verify Running MCC Container - -Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands: - -```bash -Connect-EflowVm -sudo iotedge list​ -``` - -![eMCC img24](images/emcc24.png) - -If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command: - -```bash -sudo journalctl -u iotedge -f -``` - -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: - -![eMCC img25](images/emcc25.png) - -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge –f -``` - -Please note: You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we have listed a few issues below that we hit during our internal validation. - -## Diagnostics Script - -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. - -To run this script: - -1. Navigate to the following folder in the MCC installation files: - - mccinstaller \> Eflow \> Diagnostics - -2. Run the following commands: - -```powershell -Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -.\collectMccDiagnostics.ps1 -``` - -3. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file which you can share with us (should be “**\**\\mccdiagnostics\\support_bundle_\$timestamp.tar.gz”) - -4. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. - -## Update MCC - -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. - -Run the following command with the **arguments** we provided in the email to update your MCC: - -```powershell -# .\updatemcc.ps1 version="**\**" tenantid="**\**" customerid="**\**" cachenodeid="**\**" customerkey="**\**" -``` -For example: -```powershell -# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a” -``` - -## Uninstall MCC - -Please contact the MCC Team before uninstalling to let us know if you're facing -issues. - -This script will remove the following: - -1. EFLOW + Linux VM -2. IoT Edge -3. Edge Agent -4. Edge Hub -5. MCC -6. Moby CLI -7. Moby Engine - -To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT -Edge LTS \> Uninstall - -## Appendix - -### Steps to obtain an Azure Subscription ID - -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you do not see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you do not have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. - -### Troubleshooting - -If you’re not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - -Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). - -### IoT Edge runtime - -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. -The runtime sits on the IoT Edge device, and performs management and -communication operations. The runtime performs several functions: - -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote monitoring. -- Manages communication between an IoT Edge device and the cloud. - -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). - -### EFLOW - -- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) -- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) -- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) -- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) -- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) - -### Routing local Windows Clients to an MCC - -#### Get the IP address of your MCC using ifconfig - -There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. - -##### Registry Key - -You can either set your MCC IP address or FQDN using: - -1. Registry Key in 1709 and higher - - [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]
- "DOCacheHost"=" " - - From an elevated command prompt: - - ``` - reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f - ``` - -2. MDM Path in 1809 or higher: - - .Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost - -3. In Windows release version 1809 and later, you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, set the Cache Server Hostname (Setting found under Computer Configuration, Administrative Templates, Windows Components, Delivery Optimization) to the IP address of your MCC. For example 10.137.187.38. - - ![eMCC img26](images/emcc26.png) - -**Verify Content using the DO Client** - -To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: - -1. Download a game or application from the Microsoft Store. - - ![eMCC img27](images/emcc27.png) - -2. Verify downloads came from MCC by one of two methods: - - - Using PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see BytesFromCacheServer test - - ![eMCC img28](images/emcc28.png) - - - Looking at the Delivery Optimization Activity Monitor - - ![eMCC img29](images/emcc29.png) - -## Also see - -[Microsoft Connected Cache for ISPs](mcc-isp.md)
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md new file mode 100644 index 0000000000..ae5404b2ae --- /dev/null +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -0,0 +1,43 @@ +--- +title: Cache node configuration +manager: aaroncz +description: Configuring a cache node on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Cache node configuration + +All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. + +## Settings + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +## Storage + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +## Client routing + +| Field Name | Expected Value| Description | +| -- | --- | --- | +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | + diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md new file mode 100644 index 0000000000..e41c225b67 --- /dev/null +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -0,0 +1,148 @@ +--- +title: Create, provision, and deploy the cache node in Azure portal +manager: aaroncz +description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Create, Configure, provision, and deploy the cache node in Azure portal + +**Applies to** + +- Windows 10 +- Windows 11 + +This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server. + +> [!IMPORTANT] +> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service. + +## Create cache node + +1. Open [Azure portal](https://www.portal.azure.com) and navigate to the **Microsoft Connected Cache** resource. + +1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**. + +1. Provide a name for your cache node and select **Create** to create your cache node. + +## Configure cache node + +During the configuration of your cache node, there are many fields for you to configure your cache node. To learn more about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article. + +### Client routing + +Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node. + +Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal. + +Once client routing and other settings are configured, your cache node will be able to download content and serve traffic to your customers. + +At this time, only IPv4 addresses are supported. IPv6 addresses aren't supported. + +#### Manual routing + +You can manually upload a list of your CIDR blocks in Azure portal to enable manual routing of your customers to your cache node. + +#### BGP routing + +BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal. + +1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision. + + :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png"::: + +1. Enter the max allowable egress that your hardware can support. + +1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. +**Note:** Up to nine cache drives are supported. + +1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). + + - If you choose **Manual routing**, enter your address range/CIDR blocks. + - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship. + > [!NOTE] + > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established. + +## Deploy cache node software to server + +Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes. + +### Components installed during provisioning + +#### IoT Edge + +IoT Edge performs several functions important to manage MCC on your edge device: + +1. Installs and updates MCC on your edge device. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. + +#### Docker container engine + +Azure IoT Edge relies on an OCI-compatible container runtime. The Moby engine is the only container engine officially supported with IoT Edge and is installed as part of the server provisioning process. + +### Components of the device provisioning script + +There are five IDs that the device provisioning script takes as input in order to successfully provision and install your cache server. The provisioning script will automatically include these keys, with no input necessary from the user. + +| ID | Description | +|---|---| +| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. | +| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. | +| Customer Key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | +| Cache node name | The name of the cache node. | +| Tenant ID | The unique ID associated with the Azure account. | + +:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: + +1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server. + +1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: + + ```bash + sudo chmod +x provisionmcc.sh + ``` + +1. Copy and paste the script command line shown in the Azure portal. + +1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). + + > [!NOTE] + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + +### General configuration fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache node name** | Alphanumeric string that contains no spaces | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | +| **Server IP address** | IPv4 address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. | +| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.| +| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. | + +### Storage fields + +> [!IMPORTANT] +> All cache drives must have read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` + +| Field Name | Expected Value| Description | +|---|---|---| +| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | + +### Client routing fields + +| Field Name | Expected Value| Description | +|---|---|---| +| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 | +| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. | +| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. | diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml new file mode 100644 index 0000000000..19f6da7226 --- /dev/null +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -0,0 +1,83 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Connected Cache Frequently Asked Questions + description: The following article is a list of frequently asked questions for Microsoft Connected Cache. + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: amymzhou + ms.author: amymzhou + manager: aaroncz + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 09/30/2022 + ms.custom: seo-marvel-apr2020 +title: Microsoft Connected Cache Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + +sections: + - name: Ignored + questions: + - question: Is this product a free service? + answer: Yes. Microsoft Connected Cache is a free service. + - question: What will Microsoft Connected Cache do for me? How will it impact our customers? + answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs. + - question: Is there a non-disclosure agreement to sign? + answer: No, a non-disclosure agreement isn't required. + - question: What are the prerequisites and hardware requirements? + answer: | + - Azure subscription + - Hardware to host Microsoft Connected Cache: + + + [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)] + + We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification: + - Dell PowerEdge R330 + - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core + - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s + - 4 - Transcend SSD230s 1 TB SATA Drives + Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + - question: Will I need to provide hardware BareMetal server or VM? + answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software. + - question: Can we use hard drives instead of SSDs? + answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance. + - question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node? + answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes. + - question: Should I add any load balancing mechanism? + answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node. + - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries? + answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country. + - question: Where should we install Microsoft Connected Cache? + answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters. + - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache? + answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content. We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used. + - question: What content is cached by Microsoft Connected Cache? + answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md). + - question: Does Microsoft Connected Cache support Xbox or Teams content? + answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available! + - question: Is IPv6 supported? + answer: No, we don't currently support IPV6. We plan to support it in the future. + - question: Is Microsoft Connected Cache stable and reliable? + answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. + - question: How does Microsoft Connected Cache populate its content? + answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). + - question: What CDNs will Microsoft Connected Cache pull content from? + answer: | + Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: + + $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA" + + c-0001.c-msedge.net. 20 IN A 13.107.4.50 + + $ whois 13.107.4.50|grep "Organization:" + + Organization: Microsoft Corporation (MSFT) diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md new file mode 100644 index 0000000000..352d4402b4 --- /dev/null +++ b/windows/deployment/do/mcc-isp-signup.md @@ -0,0 +1,86 @@ +--- +title: Operator sign up and service onboarding +manager: aaroncz +description: Service onboarding for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Operator sign up and service onboarding for Microsoft Connected Cache + +**Applies to** + +- Windows 10 +- Windows 11 + +This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). + +## Resource creation and sign up process + +1. Navigate to the [Azure portal](https://www.portal.azure.com). In the top search bar, search for **Microsoft Connected Cache**. + + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. + + > [!IMPORTANT] + > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. +1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. + + :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: + +1. Once we verify the information entered, a verification code will be sent to the NOC email address provided on [Peering DB](https://www.peeringdb.com/). Once you receive the email, navigate to your Azure portal > **Microsoft Connected Cache** > **Settings** > **Verify operator**, and enter the verification code sent to the NOC email address. + + > [!NOTE] + > Verification codes expire in 24 hours. You will need to generate a new code if it expires. + + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + +1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. + + + +### Cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +### Virtual machines + +Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md new file mode 100644 index 0000000000..a321ac671c --- /dev/null +++ b/windows/deployment/do/mcc-isp-support.md @@ -0,0 +1,51 @@ +--- +title: Support and troubleshooting +manager: aaroncz +description: Troubleshooting issues for Microsoft Connected Cache for ISP +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +audience: itpro +author: nidos +ms.localizationpriority: medium +ms.author: nidos +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Support and troubleshooting + +**Applies to** + +- Windows 10 +- Windows 11 + +This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs. +## Sign up errors + +### Cannot verify account + +During sign-up, we verify the information you provide against what is present in [Peering DB](https://www.peeringdb.com/). Make sure the information for your ISP entry on [Peering DB](https://www.peeringdb.com/) is up to date and matches what you provide during sign-up. + +### Invalid verification code + +During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up. + +## Cache Node Errors + +### Cannot find my cache node + +Did you previously had access to your cache nodes but it's now no longer accessible? If so, it may be because you had a trial subscription, and its trial period ended. To resolve this issue, complete the following two steps: + +1. Create a new Azure Pay-As-You-Go subscription +1. Recreate the cache nodes using the new subscription + +## Steps to obtain an Azure subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +## Recommended resources + +- [Pay-as-you-go-subscription](https://azure.microsoft.com/offers/ms-azr-0003p/) +- [Azure free account FAQs](https://azure.microsoft.com/free/free-account-faq/) + diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md new file mode 100644 index 0000000000..c6bdfe27c8 --- /dev/null +++ b/windows/deployment/do/mcc-isp-update.md @@ -0,0 +1,58 @@ +--- +title: Update or uninstall your cache node +manager: aaroncz +description: How to update or uninstall your cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Update or uninstall your cache node + +This article details how to update or uninstall your cache node. + +## Update cache node + +Microsoft will release updates for Microsoft Connected Cache periodically to improve performance, functionality, and security. Updates won't require any action from the customer. Instead, when an update is available, your cache node will automatically update during low traffic hours with minimal to no impact to your end customers. + +To view which version your cache nodes are currently on, navigate to the **Cache nodes** tab to view the versions in the list view. + +## Uninstall cache node + +There are two main steps required to uninstall your cache node: + +1. Remove your cache node from Azure portal +1. Run the uninstall script to cleanly remove MCC from your server + +You must complete both steps to ensure a clean uninstall of your cache node. + +### Remove your cache node from Azure portal + +Within the [Azure portal](https://www.portal.azure.com), navigate to **Cache Nodes**, then select the cache node you wish to delete. Once selected, select **Delete** on the top bar to remove this cache node from your account. + +### Run the uninstall script to cleanly remove Microsoft Connected Cache from your server + +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Microsoft Connected Cache and all the related components. Only run it if you're facing issues with Microsoft Connected Cache installation. + +The **uninstallmcc.sh** script removes the following components: + +- IoT Edge +- Edge Agent +- Edge Hub +- MCC +- Moby CLI +- Moby engine + +To run the script, use the following commands: + +```bash +sudo chmod +x uninstallmcc.sh +sudo ./uninstallmcc.sh + +``` diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md new file mode 100644 index 0000000000..22f8b3de86 --- /dev/null +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -0,0 +1,80 @@ +--- +title: Verify cache node functionality and monitor health and performance +manager: aaroncz +description: How to verify the functionality of a cache node +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Verify cache node functionality and monitor health and performance + +This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. + +## Verify functionality on Azure portal + +Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. + +## Verify functionality on the server + +It can take a few minutes for the container to deploy after you've saved the configuration. + +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. + +```bash +wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If successful, you'll see a terminal output similar to the following output: + +```bash +HTTP request sent, awaiting response... 200 OK +Length: 969710 (947K) [image/gif] +Saving to: 'wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com' + +wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com 100%[========================] +``` + +Similarly, enter the following URL into a web browser on any device on the network: + +```http +http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com +``` + +If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. + +## Monitor cache node health and performance + +Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. + +### Available Metrics + +Within Azure portal, you're able to build your custom charts and graphs using the following available metrics: + +| Metric name | Description | +|---|---| +| **Cache Efficiency** | Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. | +| **Healthy nodes** | The number of cache nodes that are reporting as healthy| +| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy| +| **Maximum in**| The maximum egress (in Gbps) of inbound traffic| +| **Maximum out**| The maximum egress (in Gbps) of outbound traffic| +| **Average in**| The average egress (in Gbps) of inbound traffic| +| **Average out**| The average egress (in Gbps) of outbound traffic| + +For more information about how to build your custom charts and graphs, see [Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics). + +### Monitoring your metrics + +To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal. + +:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab."::: + +You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar. + +If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md new file mode 100644 index 0000000000..6cb5ab9b45 --- /dev/null +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -0,0 +1,36 @@ +--- +title: Enhancing VM performance +manager: aaroncz +description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs +keywords: updates, downloads, network, bandwidth +ms.prod: w10 +ms.mktglfcycl: deploy +audience: itpro +author: amyzhou +ms.localizationpriority: medium +ms.author: amyzhou +ms.collection: M365-modern-desktop +ms.topic: reference +--- + +# Enhancing virtual machine performance + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. + +## Virtual machine settings + +Change the following settings to maximize the egress in virtual environments: + +1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations: + + - The BIOS of the MCC virtual machine + - The network card properties of the MCC virtual machine + - The hypervisor for the MCC virtual machine + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. + +## Next steps + +[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 9ac74d0930..055f86b888 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -5,17 +5,17 @@ ms.prod: windows-client ms.technology: itpro-updates ms.localizationpriority: medium author: amymzhou -ms.author: aaroncz +ms.author: amyzhou ms.reviewer: carmenf -manager: dougeby +manager: aaroncz ms.collection: M365-modern-desktop ms.topic: how-to ms.date: 05/20/2022 --- -# Microsoft Connected Cache for Internet Service Providers (ISPs) +# Microsoft Connected Cache for Internet Service Providers (early preview) -_Applies to_ +*Applies to* - Windows 10 - Windows 11 @@ -23,7 +23,7 @@ _Applies to_ ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. @@ -31,15 +31,15 @@ Microsoft Connected Cache is a hybrid application, in that it's a mix of on-prem ## How MCC works -:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: +:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png"::: The following steps describe how MCC is provisioned and used: 1. The Azure Management Portal is used to create and manage MCC nodes. -2. A shell script is used to provision the server and deploy the MCC application. +1. A shell script is used to provision the server and deploy the MCC application. -3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. +1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - The publicly accessible IPv4 address of the server is configured on the portal. @@ -50,31 +50,31 @@ The following steps describe how MCC is provisioned and used: > [!NOTE] > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. -4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. +1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft clients make the range requests for content from the MCC node. +1. Microsoft clients make the range requests for content from the MCC node. -6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will be served from cache. +1. Subsequent requests from end-user devices for content will be served from cache. -8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. +1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. ## ISP requirements for MCC ### Azure subscription -The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services. > [!NOTE] > If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. -Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends. The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. > [!IMPORTANT] -> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). +> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). ### Hardware to host the MCC @@ -89,7 +89,7 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC #### NIC requirements -- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. - 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations @@ -97,10 +97,10 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. | Component | Minimum | Recommended | -| -- | --- | --- | +|---|---|---| | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | +| Disk | SSD
1 drive
2 TB each |SSD
2-4 drives
at least 2 TB each | | Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | @@ -110,8 +110,8 @@ To deploy MCC: 1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create a Cache Node](#create-a-mcc-node-in-azure) -4. [Configure Cache Node Routing](#edit-cache-node-information) +3. [Create a Cache Node](#create-an-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) 5. [Install MCC on a physical server or VM](#install-mcc) 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) 7. [Review common issues if needed](#common-issues) @@ -135,20 +135,20 @@ Operators who have been given access to the program will be sent a link to the A 1. Choose **Create a resource**. - :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: + :::image type="content" source="./images/mcc-isp-create-resource.png" alt-text="Screenshot of the option to 'Create a resource' in the Azure portal."::: 1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. 1. Select **Microsoft Connected Cache**. - :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: + :::image type="content" source="./images/mcc-isp-search-marketplace.png" alt-text="Screenshot of searching the Azure Marketplace for 'Microsoft Connected Cache'."::: > [!IMPORTANT] - > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. + > Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**. 1. Select **Create** on the next screen to start the process of creating the MCC resource. - :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: + :::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service."::: 1. Fill in the following required fields to create the MCC resource: @@ -163,11 +163,11 @@ Operators who have been given access to the program will be sent a link to the A - Specify a **Connected Cache Resource Name**. - :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: + :::image type="content" source="./images/mcc-isp-location-west.png" alt-text="Screenshot of entering the required information, including the West US location, to create a Connected Cache in Azure."::: 1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. - :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="'Screenshot of the 'Your deployment is complete' message displaying deployment details."::: #### Common Resource Creation Errors @@ -175,58 +175,55 @@ Operators who have been given access to the program will be sent a link to the A If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. -:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: - ##### Error: Could not create Marketplace item If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: -- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. +- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource. - Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - If the issue persists, clear your browser cache and start in a new window. -### Create a MCC node in Azure +### Create an MCC node in Azure 1. After you successfully create the resource, select **Go to resource**. 1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: + :::image type="content" source="./images/mcc-isp-cache-nodes-option.png" alt-text="Screenshot of the 'Cache Nodes' option in the Cache Node Management menu section."::: 1. On the **Cache Nodes** section, select **Create Cache Node**. - :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-option.png" alt-text="Screenshot of the selecting the 'Create Cache Node' option."::: 1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. | Field name | Expected value | Description | |--|--|--| | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | - | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* | | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | - | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
**Disable** prevents the cache node from receiving content requests.
Cache nodes are enabled by default. | - :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page."::: > [!TIP] > The information icon next to each field provides a description. > - > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + > :::image type="content" source="./images/mcc-isp-node-server-ip.png" alt-text="Screenshot of the Create Cache Node page showing the description for the Server IP Address field."::: - > [!NOTE] - > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: - > - > | Field name | Description | - > |--|--| - > | **IP Space** | Number of IP addresses that will be routed to your cache server. | - > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + + | Field name | Description | + |--|--| + | **IP Space** | Number of IP addresses that will be routed to your cache server. | + | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | 1. Enter the information to create the cache node, and then select **Create**. - :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + :::image type="content" source="./images/mcc-isp-create-new-node.png" alt-text="Screenshot of selecting 'Create' on the Create Cache Node page."::: If there are errors, the page gives you guidance on how to correct the errors. For example: @@ -236,11 +233,11 @@ If there are errors, the page gives you guidance on how to correct the errors. F See the following example with all information entered: -:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: +:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered."::: Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. -:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: +:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval @@ -258,15 +255,15 @@ There are three states for IP address space. MCC configuration supports BGP and If your IP address space has this status, contact Microsoft for more information. -:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: +:::image type="content" source="./images/mcc-isp-node-names.png" alt-text="Screenshot of a list of cache node names with example IP address space statuses."::: ## Edit cache node information -:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: +:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal."::: To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: +:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields."::: To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. @@ -298,7 +295,7 @@ Before you start, make sure that you have a data drive configured on your server 1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: + :::image type="content" source="./images/mcc-isp-installer-download.png" alt-text="Screenshot of the Create Cache Node page highlighting the Download Installer action."::: Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: @@ -322,19 +319,19 @@ Before you start, make sure that you have a data drive configured on your server 1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: + :::image type="content" source="./images/mcc-isp-copy-install-script.png" alt-text="Screenshot of the Copy option for the cache node installer Bash script in the Connected Cache installer instructions."::: 1. Sign in to the Azure portal with a device code. - :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: + :::image type="content" source="./images/mcc-isp-bash-device-code.png" alt-text="Screenshot of the Bash script prompt to sign in to the Azure portal with a device code." lightbox="./images/mcc-isp-bash-device-code.png"::: 1. Specify the number of drives to configure. Use an integer value less than 10. - :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: + :::image type="content" source="./images/mcc-isp-bash-drive-number.png" alt-text="Screenshot of the Bash script prompt to enter the number of cache drives to configure." lightbox="./images/mcc-isp-bash-drive-number.png"::: 1. Specify the location of the cache drives. For example, `/datadrive/` - :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-datadrive.png" alt-text="Screenshot of the Bash script prompt to enter the location for cache drive." lightbox="./images/mcc-isp-bash-datadrive.png"::: > [!IMPORTANT] > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. @@ -350,15 +347,15 @@ Before you start, make sure that you have a data drive configured on your server 1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. - :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: + :::image type="content" source="./images/mcc-isp-bash-allocate-space.png" alt-text="Screenshot of the Bash script prompt to enter the amount of space to allocate to the cache drive." lightbox="./images/mcc-isp-bash-allocate-space.png"::: 1. Specify whether you have an existing IoT Hub. - - If this process is for your _first MCC deployment_, enter `n`. + - If this process is for your *first MCC deployment*, enter `n`. - - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. + - If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: + :::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png"::: 1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. @@ -394,7 +391,7 @@ Before you start, make sure that you have a data drive configured on your server 1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. - :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + :::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP."::: 1. If there are no errors, go to the next section to verify the MCC server. @@ -415,7 +412,7 @@ Sign in to the Connected Cache server or use SSH. Run the following command from sudo iotedge list ``` -:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: @@ -425,7 +422,7 @@ sudo journalctl -u iotedge -f For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: ### Verify server side @@ -439,7 +436,7 @@ wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.wind The following screenshot shows a successful test result: -:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: +:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png"::: Similarly, enter the following URL into a web browser on any device on the network: @@ -484,7 +481,7 @@ To configure the device to work with your DNS, use the following steps: nmcli device show eno1 ``` - :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png"::: 1. Open or create the Docker configuration file used to configure the DNS server. @@ -535,7 +532,7 @@ To run the script: ## Updating your MCC -Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. +Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. Run the following commands, replacing the variables with the values provided in the email to update your MCC: @@ -553,7 +550,7 @@ sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-u ### Configure BGP on an Existing MCC -If you have a MCC that's already active and running, follow the steps below to configure BGP. +If you have an MCC that's already active and running, follow the steps below to configure BGP. 1. Run the Update commands as described above. @@ -585,20 +582,12 @@ sudo ./uninstallmcc.sh ``` ## Appendix - + ### Steps to obtain an Azure subscription ID -1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] -2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. - -3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. - -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. - -5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. - -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. ### Performance of MCC in virtual environments @@ -618,7 +607,7 @@ In virtual environments, the cache server egress peaks at around 1.1 Gbps. If yo More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. -For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*. ### Setting up a VM on Windows Server @@ -631,93 +620,93 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an 1. Start the **New Virtual Machine Wizard** in Hyper-V. - :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-begin.png" alt-text="Screenshot of the Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: 1. Specify a name and choose a location. - :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-name.png" alt-text="Screenshot of the Specify Name and Location page in the Hyper-V New Virtual Machine Wizard."::: 1. Select **Generation 2**. You can't change this setting later. - :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-generation.png" alt-text="Screenshot of the Specify Generation page in the Hyper-V New Virtual Machine Wizard."::: 1. Specify the startup memory. - :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-memory.png" alt-text="Screenshot of the Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: 1. Choose the network adapter connection. - :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-networking.png" alt-text="Screenshot of the Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: 1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. - :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-disk.png" alt-text="Screenshot of the Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: 1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. - :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + :::image type="content" source="./images/mcc-isp-hyper-v-installation-options.png" alt-text="Screenshot of the Installation Options page of the Hyper-V New Virtual Machine Wizard."::: 1. Review the settings and select **Finish** to create the Ubuntu VM. - :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + :::image type="content" source="./images/mcc-isp-hyper-v-summary.png" alt-text="Screenshot of completing the New Virtual Machine Wizard on Hyper-V."::: 1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. 1. In Hyper-V Manager, open the **Settings** for the VM. - :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-settings.png" alt-text="Screenshot of the settings for a VM in Hyper-V Manager."::: 1. Select **Security**. Disable the option to **Enable Secure Boot**. - :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-security.png" alt-text="Screenshot of the security page from VM settings in Hyper-V Manager."::: 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. - :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + :::image type="content" source="./images/mcc-isp-hyper-v-vm-processor.png" alt-text="Screenshot of the processor page from VM settings in Hyper-V Manager."::: 1. Start the VM and select **Install Ubuntu**. - :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-gnu-grub.png" alt-text="Screenshot of the GNU GRUB screen, with Install Ubuntu selected."::: 1. Choose your default language. - :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + :::image type="content" source="./images/mcc-isp-ubuntu-language.png" alt-text="Screenshot of the Ubuntu install's language selection page."::: 1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. 1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. - :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + :::image type="content" source="./images/mcc-isp-ubuntu-erase-disk.png" alt-text="Screenshot of the Ubuntu install Installation type page with the Erase disk and install Ubuntu option selected."::: Review the warning about writing changes to disk, and select **Continue**. - :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + :::image type="content" source="./images/mcc-isp-ubuntu-write-changes.png" alt-text="Screenshot of the Ubuntu install's 'Write the changes to disks' warning."::: 1. Choose the time zone. - :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + :::image type="content" source="./images/mcc-isp-ubuntu-time-zone.png" alt-text="Screenshot of the Ubuntu install's 'Where are you page' to specify time zone."::: 1. Choose the keyboard layout. - :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + :::image type="content" source="./images/mcc-isp-ubuntu-keyboard.png" alt-text="Screenshot of the Ubuntu install's Keyboard layout page."::: 1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. > [!TIP] > Everything is case sensitive in Linux. - :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + :::image type="content" source="./images/mcc-isp-ubuntu-who.png" alt-text="Screenshot of the Ubuntu install's, 'Who are you' screen."::: 1. To complete the installation, select **Restart now**. - :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + :::image type="content" source="./images/mcc-isp-ubuntu-restart.png" alt-text="Screenshot of the Ubuntu install's installation complete, restart now screen."::: 1. After the computer restarts, sign in with the username and password. > [!IMPORTANT] > If it shows that an upgrade is available, select **Don't upgrade**. > - > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected."::: Your Ubuntu VM is now ready to [Install MCC](#install-mcc). @@ -735,6 +724,6 @@ For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/ ## Related articles -[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) +[Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index d492d18d11..8888c9ec94 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -22,41 +22,40 @@ ms.technology: itpro-updates - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -MCC is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. +MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. -2. Maintains Azure IoT Edge security standards on your edge device. -3. Ensures that MCC is always running. -4. Reports MCC health and usage to the cloud for remote monitoring. +1. Maintains Azure IoT Edge security standards on your edge device. +1. Ensures that MCC is always running. +1. Reports MCC health and usage to the cloud for remote monitoring. To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below. -For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge). ## How MCC Works 1. The Azure Management Portal is used to create MCC nodes. -2. The MCC container is deployed and provisioned to the server using the installer provided in the portal. -3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. -4. Microsoft end-user devices make range requests for content from the MCC node. -5. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -6. Subsequent requests from end-user devices for content will now come from cache. -7. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +1. The MCC container is deployed and provisioned to the server using the installer provided in the portal. +1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server. +1. Microsoft end-user devices make range requests for content from the MCC node. +1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. +1. Subsequent requests from end-user devices for content will now come from cache. +1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. -See the following diagram. +The following diagram displays and overview of how MCC functions: -![MCC Overview](images/waas-mcc-diag-overview.png#lightbox) +:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: -For more information about MCC, see the following articles: -- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md) -- [Microsoft Connected Cache for ISPs](mcc-isp.md) -## Also see -[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) \ No newline at end of file +## Next steps + +- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) +- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 3609de6b15..35b2652d61 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -21,7 +21,7 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -## Microsoft Connected Cache (private preview) +## Microsoft Connected Cache (early preview) Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 7c6b7cb6ed..58bb72052d 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -6,12 +6,10 @@ summary: Learn about deploying and keeping Windows client devices up to date. # metadata: title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.technology: itpro-apps + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index bf3c38f95e..853855b43b 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -3,7 +3,8 @@ metadata: title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index 848e407d94..c234ad4992 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -8,7 +8,8 @@ metadata: ms.author: frankroj manager: aaroncz keywords: FAQ, mobile, device, USB - ms.prod: w10 + ms.prod: windows-client + ms.technology: itpro-deploy ms.mktglfcycl: deploy ms.pagetype: mobility ms.sitesec: library diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/images/wufb-do-overview.png new file mode 100644 index 0000000000..bacdb44d25 Binary files /dev/null and b/windows/deployment/update/images/wufb-do-overview.png differ diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md new file mode 100644 index 0000000000..7fae5b9b00 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md @@ -0,0 +1,35 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus +ms.reviewer: +manager: naengler +description: UCDOAggregatedStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOAggregatedStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **DeviceCount** | [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md new file mode 100644 index 0000000000..0b11c3c938 --- /dev/null +++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md @@ -0,0 +1,55 @@ +--- +title: Windows Update for Business reports Data Schema - UCDOStatus +ms.reviewer: +manager: naengler +description: UCDOStatus schema +ms.prod: windows-client +author: cmknox +ms.author: carmenf +ms.collection: M365-analytics +ms.topic: reference +ms.date: 11/17/2022 +ms.technology: itpro-updates +--- + +# UCDOStatus + +***(Applies to: Windows 11 & Windows 10)*** + +UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization. + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.| +| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.| +| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). | +| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). | +| **BytesFromGroupPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. | +| **BytesFromIntPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. | +| **BytesFromPeers** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. | +| **City** | [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. | +| **ContentDownloadMode** | [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. | +| **ContentType** | [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. | +| **DOStatusDescription** | [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. | +| **DownloadMode** | [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)` | Delivery Optimization Download Mode configured on the device. | +| **DownloadModeSrc** | [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally. | +| **GroupID** | [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. | +| **ISP** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. | +| **LastCensusSeenTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | +| **NoPeersCount** | [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. | +| **PeerEligibleTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. | +| **PeeringStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. | +| **PeersCannotConnectCount** | [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. | +| **PeersSuccessCount** | [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. | +| **PeersUnknownCount** | [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. | +| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **TotalTimeForDownload** | [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. | +| **TotalTransfers** | [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. | diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 3d1083467a..cdaf2834c6 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -141,7 +141,7 @@ The **Device status** group for feature updates contains the following items: ## Delivery Optimization (preview tab) -The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes Microsoft Connected Cache (MCC) information. +The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. At the top of the report, tiles display the following information: @@ -156,6 +156,8 @@ The Delivery Optimization tab is further divided into the following groups: - **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**. - **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**. +:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png"::: + ## Customize the workbook Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started). diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml index f058fa2a8d..f22b052e29 100644 --- a/windows/deployment/usmt/usmt-faq.yml +++ b/windows/deployment/usmt/usmt-faq.yml @@ -3,11 +3,11 @@ metadata: title: 'Frequently Asked Questions (Windows 10)' description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.' ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b - ms.reviewer: + ms.prod: windows-client + ms.technology: itpro-deploy author: frankroj ms.author: frankroj manager: aaroncz - ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library audience: itpro diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 276ced6af0..d6cf61ec51 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -276,7 +276,7 @@ This section contains several procedures to support Zero Touch installation with ### Configure the network access account -1. In the Administration workspace, expand **Site Configuration** and select **Sites**. +1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**. 2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**. 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. 4. Select the yellow starburst and then select **New Account**. @@ -285,17 +285,17 @@ This section contains several procedures to support Zero Touch installation with ### Configure a boundary group -1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. +1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**. 2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**. 3. Choose **Default-First-Site-Name** and then select **OK** twice. -4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. +4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**. 5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**. 6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox. 7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice. ### Add the state migration point role -1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. +1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**. 2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox. 3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**. 4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed. @@ -861,7 +861,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. +1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**. 1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox. 1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times. 1. When a popup dialog box asks if you want to run full discovery, select **Yes**. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 01a4100390..854b107c86 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -14,9 +14,7 @@ msreviewer: hathind # Fix issues found by the Readiness assessment tool -Seeing issues with your tenant? This article details how to remediate issues found with your tenant. - -If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request). +Seeing issues with your tenant? This article details how to remediate issues found with your tenant. ## Check results @@ -72,27 +70,3 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | | Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | - -## Submit a support request - -> [!IMPORTANT] -> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues. - -If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. - -**To submit a new support request:** - -1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane. -2. Enter your question(s) and/or a description of the problem. -3. Review all the information you provided for accuracy. -4. When you're ready, select **Create**. - -### Manage an active support request - -The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request. - -**To view all your active pre-enrollment support requests:** - -1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Tenant Enrollment**. -1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details. diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml index edec9d080e..567e5d62a8 100644 --- a/windows/deployment/windows-autopilot/index.yml +++ b/windows/deployment/windows-autopilot/index.yml @@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources metadata: title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page + ms.prod: windows-client + ms.technology: itpro-deploy ms.collection: - - windows-10 - highpri author: frankroj ms.author: frankroj diff --git a/windows/hub/index.yml b/windows/hub/index.yml index dc624bbd9f..aa9a8e5a92 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -8,12 +8,9 @@ brand: windows metadata: title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars. description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. - services: windows-10 - ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM. - ms.subservice: subservice # Optional; Remove if no subservice is used. - ms.topic: hub-page # Required + ms.topic: hub-page + ms.prod: windows-client ms.collection: - - windows-10 - highpri author: dougeby #Required; your GitHub user alias, with correct capitalization. ms.author: dougeby #Required; microsoft alias of author; optional team alias. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index b923e0d70f..8484e3b795 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -65,13 +65,13 @@ }, "fileMetadata": { "author":{ - "/identity-protection/hello-for-business/*.md": "paolomatarazzo" + "identity-protection/hello-for-business/**/*.md": "paolomatarazzo" }, "ms.author":{ - "/identity-protection/hello-for-business/*.md": "paoloma" + "identity-protection/hello-for-business/**/*.md": "paoloma" }, "ms.reviewer":{ - "/identity-protection/hello-for-business/*.md": "erikdau" + "identity-protection/hello-for-business/**/*.md": "erikdau" } }, "template": [], diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 9217ed606d..33c5c76b9f 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,37 +1,23 @@ --- title: Multi-factor Unlock description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 03/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Multi-factor Unlock -**Requirements:** -* Windows Hello for Business deployment (Cloud, Hybrid or On-premises) -* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer, or Windows 11 -* Bluetooth, Bluetooth capable phone - optional +Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. - -Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. +Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim. Which organizations can take advantage of Multi-factor unlock? Those who: -* Have expressed that PINs alone do not meet their security needs. -* Want to prevent Information Workers from sharing credentials. -* Want their organizations to comply with regulatory two-factor authentication policy. -* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution. + +- Have expressed that PINs alone do not meet their security needs +- Want to prevent Information Workers from sharing credentials +- Want their organizations to comply with regulatory two-factor authentication policy +- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index d42b632977..721ddca258 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,25 +1,18 @@ --- title: Azure Active Directory join cloud only deployment description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 06/23/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure Active Directory join cloud only deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)] + ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. @@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`** -To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` These registry settings are pushed from Intune for user policies: diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index edcdd4c52f..485f602211 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -1,22 +1,11 @@ --- title: Having enough Domain Controllers for Windows Hello for Business deployments description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 or later - - ✅ Hybrid or On-Premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 8f6de2d563..b7b06e3193 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,19 +1,10 @@ --- title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello and password changes diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index df42f82380..c9bc5a12f3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,21 +1,10 @@ --- title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. -ms.prod: windows-client -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/12/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello biometrics in the enterprise diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 20352aa60a..3486c444df 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,25 +1,15 @@ --- title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust +# Prepare and Deploy Active Directory Federation Services (AD FS) -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. +Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. @@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. ## Review & validate +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Before you continue with the deployment, validate your deployment progress by reviewing the following items: - Confirm the AD FS farm uses the correct database configuration. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 760d69ed2e..bde42599c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -1,28 +1,21 @@ --- title: Configure Windows Hello for Business Policy settings - certificate trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings. -ms.prod: windows-client ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Certificate Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later. On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index c324b543eb..af56ffb943 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -1,25 +1,17 @@ --- title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business) description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate Active Directory prerequisites for cert-trust deployment -The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + +The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. @@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe** To locate the schema master role holder, open and command prompt and type: -```Netdom query fsmo | findstr -i “schema”``` +```cmd +netdom.exe query fsmo | findstr.exe -i "schema" +``` ![Netdom example output.](images/hello-cmd-netdom.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 38589541ad..28d010fbd8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -1,24 +1,16 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with certificate trust description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Deploy Multi-Factor Authentication feature +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 15298bba55..4b692280e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -1,29 +1,21 @@ --- title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Certificate Trust Model +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. ## Deploy an enterprise certificate authority -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services. ### Lab-based public key infrastructure @@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o >[!NOTE] >Never install a certificate authority on a domain controller in a production environment. -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. +1. Open an elevated Windows PowerShell prompt +2. Use the following command to install the Active Directory Certificate Services role ```PowerShell Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools ``` -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. +3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration ```PowerShell Install-AdcsCertificationAuthority ``` diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index 0c3dce349f..115a1041e1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -1,24 +1,16 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment description: A guide to on premises, certificate trust Windows Hello for Business deployment. -ms.prod: windows-client -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: prsriva -manager: aaroncz appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployments - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.topic: article --- # On Premises Certificate Trust Deployment +[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index e760eecda3..64b6af4819 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -1,25 +1,13 @@ --- title: Windows Hello for Business Deployment Overview description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Overview -**Applies to** - -- Windows 10, version 1703 or later -- Windows 11 - Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b64a57e89f..8c8fd3b65d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,17 +1,10 @@ --- title: Windows Hello for Business Deployment Known Issues description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -params: siblings_only -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/03/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Known Deployment Issues @@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym ## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error -Applies to: - -- Azure AD joined deployments -- Windows 10, version 1803 and later -- Windows 11 - PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index 770fc668c9..6dfcd9f952 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -1,30 +1,21 @@ --- title: Windows Hello for Business Deployment Guide - On Premises Key Deployment description: A guide to on premises, key trust Windows Hello for Business deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # On Premises Key Trust Deployment +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment: 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) +3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 282264de1e..61a80e17c5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -1,19 +1,13 @@ --- title: Deploy certificates for remote desktop sign-in description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: erikdau -ms.collection: - - M365-identity-device-management +ms.collection: - ContentEngagementFY23 -ms.topic: how-to +ms.topic: article localizationpriority: medium ms.date: 11/15/2022 -appliesto: - - ✅ Windows 10 and later +appliesto: +- ✅ Windows 10 and later ms.technology: itpro-security --- @@ -139,7 +133,7 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c | --- | --- | |*Certificate Type*| User | |*Subject name format* | `CN={{UserPrincipalName}}` | - |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}` + |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}` |*Certificate validity period* | Configure a value of your choosing| |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** |*Key usage*| **Digital Signature**| @@ -198,4 +192,4 @@ After obtaining a certificate, users can RDP to any Windows devices in the same [MEM-5]: /mem/intune/protect/certificates-trusted-root [MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview -[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest \ No newline at end of file +[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 28bab60966..e1b28aec6f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,20 +1,10 @@ --- title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management ms.topic: troubleshooting -ms.localizationpriority: medium ms.date: 05/05/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello errors during PIN creation diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index 32ec0a5204..484985c43d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,19 +1,10 @@ --- title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium ms.date: 07/27/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Event ID 300 - Windows Hello successfully created diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 919393f45a..f4456c7110 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -18,9 +18,8 @@ metadata: ms.topic: faq localizationpriority: medium ms.date: 11/11/2022 - appliesto: - - ✅ Windows 10 - - ✅ Windows 11 + appliesto: + - ✅ Windows 10 and later title: Windows Hello for Business Frequently Asked Questions (FAQ) summary: | @@ -211,7 +210,7 @@ sections: - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model? answer: | - No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. + No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory. - question: Does Windows Hello for Business prevent the use of simple PINs? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index 8ac9d29d9f..a96e6d66b5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,16 +1,10 @@ --- title: Conditional Access description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Conditional access diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 24c66f9452..adfbe58657 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -1,16 +1,10 @@ --- title: Dual Enrollment description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/09/2019 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Dual Enrollment @@ -19,7 +13,6 @@ ms.technology: itpro-security * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 or later * Certificate trust > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index bb878fcd09..6bae92fc12 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,19 +1,10 @@ --- title: Dynamic lock description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/12/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Dynamic lock diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index b50e72d0ef..313ef05f54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -1,21 +1,13 @@ --- title: Pin Reset description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 07/29/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # PIN reset @@ -31,11 +23,6 @@ There are two forms of PIN reset: There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. -**Requirements** - -- Reset from settings - Windows 10, version 1703 or later, Windows 11 -- Reset above Lock - Windows 10, version 1709 or later, Windows 11 - Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. @@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi - Value: **True** >[!NOTE] -> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. +> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:: + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/organization?$select=id +``` --- diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 31cdaa7534..2281821bdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,24 +1,15 @@ --- title: Remote Desktop description: Learn how Windows Hello for Business supports using biometrics with remote desktop -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/24/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Remote Desktop **Requirements** - -- Windows 10 -- Windows 11 - Hybrid and On-premises Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index d3817c3e30..27dde9400e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Authentication description: Learn about the authentication flow for Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 02/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business and Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index ab75ccda70..6d250848d5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - Provisioning description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Provisioning diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 719c27216d..ad5eec8634 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -1,19 +1,10 @@ --- title: How Windows Hello for Business works - technology and terms description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 10/08/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Technology and terms @@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t ## Federated environment -Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. +Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related to federated environment @@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr ## Hybrid deployment -The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. +The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust. ### Related to hybrid deployment @@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that ## Pass-through authentication -Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to pass-through authentication @@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a ## Password hash sync -Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. +Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related to password hash sync diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 03559c9e2e..9f3670151c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -1,18 +1,10 @@ --- title: How Windows Hello for Business works description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/05/2018 -appliesto: - - ✅ Windows 10 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How Windows Hello for Business works in Windows Devices diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ce22c81e4f..a53b5977d6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,25 +1,15 @@ --- title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 01/14/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure Active Directory-join - - ✅ Hybrid Deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + ## Prerequisites Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 441651ecdb..1b222da4f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,26 +1,16 @@ --- -title: Using Certificates for AADJ On-premises Single-sign On single sign-on +title: Use Certificates to enable SSO for Azure AD join devices description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Azure AD-join - - ✅ Hybrid Deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Using Certificates for AADJ On-premises Single-sign On +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)] + If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index 8d2c2d3eb7..1acc6aa213 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,22 +1,15 @@ --- title: Azure AD Join Single Sign-on Deployment description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Azure AD Join Single Sign-on Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)] + Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index d68fe373c4..234f257566 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business) description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 912929f030..997dbea6e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] + Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index f3bd6859f8..56e0d50918 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Prerequisites description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Prerequisites +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index fbf527bf4b..caf8cfe867 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -1,39 +1,30 @@ --- title: Hybrid Certificate Trust Deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/08/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Certificate Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. ## Federated Baseline -The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. +The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment. Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 191ad50880..fa4284edd5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -1,24 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business) description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md index 82c2369b6c..748cc46a44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD) description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. ### Creating Security Groups diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 55a8c1fe51..83988357c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -1,24 +1,15 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Federation Services The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 9340b2698b..5002843385 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -1,25 +1,16 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 0c6e6e4808..98725d74b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -1,25 +1,16 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI) description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 9665843315..ad8ff6984f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)] ## Policy Configuration diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md index 68da777df7..360f679614 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business) description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Certificate trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)] + Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index d9cd8d2065..d8063e6127 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,29 +1,14 @@ --- title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business) description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/1/2022 -appliesto: - - ✅ Windows 10, version 21H2 and later -ms.technology: itpro-security +appliesto: +- ✅ Windows 10, version 21H2 and later +ms.topic: article --- # Hybrid cloud Kerberos trust deployment -This document describes Windows Hello for Business functionalities or scenarios that apply to:\ -✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\ -✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\ -✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join) - -
- ---- +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)] Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 98e359fe83..32f0d91fc6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,24 +1,15 @@ --- title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies - [Active Directory](#active-directory) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 60421b9698..e6d1d3275c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -1,24 +1,15 @@ --- title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 05/04/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 883e949f0a..18df532ca9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -1,24 +1,15 @@ --- title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index a91f625b7b..17e3fe7e61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -1,24 +1,16 @@ --- title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business) description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites -Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + +Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources. The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: @@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. -A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. +A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. @@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index addf5f5a20..9ab687ded9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -1,33 +1,24 @@ --- title: Hybrid Key Trust Deployment (Windows Hello for Business) description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/20/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Key Trust Deployment +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). -This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. +This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## -The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. +The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 85b0134eed..b5c704fb93 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -1,23 +1,15 @@ --- title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business) description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning + +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md index eefcf80dae..cb30af909d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md @@ -1,24 +1,14 @@ --- title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD) description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory -appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Hybrid deployment -- ✅ Key trust +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 4a6cacda34..f19aab257d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -1,27 +1,18 @@ --- title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. ### Group Memberships for the Azure AD Connect Service Account >[!IMPORTANT] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 7d80a9ac21..a824e822fe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined key trust Windows Hello for Business description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI) -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 04/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. All deployments use enterprise issued certificates for domain controllers as a root of trust. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 6d891a5b53..333f505d95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -1,24 +1,15 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy description: Configuring Hybrid key trust Windows Hello for Business - Group Policy -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)] + ## Policy Configuration You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index 48fe302c63..5e24b6de2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,26 +1,17 @@ --- title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 4/30/2021 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Hybrid deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings +[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)] + You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business. - + > [!IMPORTANT] > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 1b10ff4e76..37b6335a50 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,18 +1,13 @@ --- title: Windows Hello for Business Deployment Prerequisite Overview description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -localizationpriority: medium ms.date: 2/15/2022 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Deployment Prerequisite Overview @@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment ## Azure AD Cloud Only Deployment -* Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account * Azure Active Directory * Azure AD Multifactor Authentication diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index b9d46ebca9..4a8dc18965 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -1,24 +1,15 @@ --- title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business) description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration. The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 090e46cd72..c618365d4e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -1,28 +1,18 @@ --- title: Configure Windows Hello for Business Policy settings - key trust description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Configure Windows Hello for Business Policy settings - Key Trust -You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] -Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. +To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + +Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information. On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index a7cf2a4367..57080612a2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,25 +1,16 @@ --- title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate Active Directory prerequisites - Key Trust -Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + +Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 42ee5bdd01..046acb3df3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -1,24 +1,15 @@ --- title: Validate and Deploy MFA for Windows Hello for Business with key trust description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Deploy Multifactor Authentication (MFA) +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5a4c114b16..c3a9226714 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -1,24 +1,15 @@ --- title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business) description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ On-premises deployment - - ✅ Key trust -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Validate and Configure Public Key Infrastructure - Key Trust +[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] + Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. ## Deploy an enterprise certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index ef4ec913e4..2d83fca7b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -1,31 +1,21 @@ --- title: Manage Windows Hello in your organization (Windows) description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 2/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Manage Windows Hello for Business in your organization -You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. +You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. -> ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. @@ -144,9 +134,10 @@ All PIN complexity policies are grouped separately from feature enablement and a >- LowercaseLetters - 1 >- SpecialCharacters - 1 + diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index eb85e9ca3b..87ec948d71 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,25 +1,16 @@ --- title: Windows Hello for Business Overview (Windows) description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva ms.collection: - M365-identity-device-management - highpri ms.topic: conceptual -localizationpriority: medium appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Holographic for Business -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Windows Hello for Business Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. +Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN. >[!NOTE] > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 36ba184666..c3c5912b26 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,20 +1,10 @@ --- title: Planning a Windows Hello for Business Deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: - - M365-identity-device-management -ms.topic: article -localizationpriority: conceptual ms.date: 09/16/2020 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Planning a Windows Hello for Business Deployment @@ -189,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2 Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. -One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). +One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 78291dadbd..69e4a380e5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -1,19 +1,10 @@ --- title: Prepare people to use Windows Hello (Windows) description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 08/19/2018 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Prepare people to use Windows Hello diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 3a99c148bd..bf6f5a4ea0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,19 +1,10 @@ --- title: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 07/26/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Windows Hello for Business Videos ## Overview of Windows Hello for Business and Features diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md index 68cc9b2ecd..f2ba4fd368 100644 --- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md +++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md @@ -1,26 +1,18 @@ --- title: Why a PIN is better than an online password (Windows) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva +description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password. ms.collection: - M365-identity-device-management - highpri -ms.topic: article -ms.localizationpriority: medium ms.date: 10/23/2017 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # Why a PIN is better than an online password -Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? -On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. +Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password? +On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password. diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index a446e2b52f..6d5ad8dea5 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -1,16 +1,10 @@ --- title: Microsoft-compatible security key description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # What is a Microsoft-compatible security key? diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5c2b1147af..a18a0b3aeb 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,24 +1,15 @@ --- title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management ms.topic: conceptual -localizationpriority: medium ms.date: 05/24/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later --- # Password-less strategy -This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. +This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy. ## Four steps to password freedom @@ -309,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users :::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because: - They don't know their password. - Their password is 128 random bits of data and is likely to include non-typable characters. diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md index bf8a6a57bf..366a317f73 100644 --- a/windows/security/identity-protection/hello-for-business/reset-security-key.md +++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md @@ -1,16 +1,10 @@ --- title: Reset-security-key description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 11/14/2018 -ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +ms.topic: article --- # How to reset a Microsoft-compatible security key? > [!Warning] diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 4653d23331..5aa1fcad6a 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,17 +1,11 @@ --- title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. -ms.prod: windows-client -ms.localizationpriority: high -author: paolomatarazzo -ms.author: paoloma ms.date: 10/16/2017 -manager: aaroncz -ms.topic: article appliesto: - ✅ Windows 10 - ✅ Windows 11 -ms.technology: itpro-security +ms.topic: article --- # How Windows Hello for Business works in Windows devices diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 2c22050ab0..502a196109 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,13 +1,11 @@ - name: Windows Hello for Business documentation href: index.yml -- name: Overview - items: - - name: Windows Hello for Business Overview - href: hello-overview.md - name: Concepts expanded: true items: - - name: Passwordless Strategy + - name: Windows Hello for Business overview + href: hello-overview.md + - name: Passwordless strategy href: passwordless-strategy.md - name: Why a PIN is better than a password href: hello-why-pin-is-better-than-password.md @@ -15,129 +13,160 @@ href: hello-biometrics-in-enterprise.md - name: How Windows Hello for Business works href: hello-how-it-works.md - - name: Technical Deep Dive - items: - - name: Provisioning - href: hello-how-it-works-provisioning.md - - name: Authentication - href: hello-how-it-works-authentication.md - - name: WebAuthn APIs - href: webauthn-apis.md -- name: How-to Guides +- name: Deployment guides items: - - name: Windows Hello for Business Deployment Overview + - name: Windows Hello for Business deployment overview href: hello-deployment-guide.md - - name: Planning a Windows Hello for Business Deployment + - name: Planning a Windows Hello for Business deployment href: hello-planning-guide.md - - name: Deployment Prerequisite Overview + - name: Deployment prerequisite overview href: hello-identity-verification.md - - name: Prepare people to use Windows Hello - href: hello-prepare-people-to-use.md - - name: Deployment Guides + - name: Cloud-only deployment + href: hello-aad-join-cloud-only-deploy.md + - name: Hybrid deployments items: - - name: Hybrid Cloud Kerberos Trust Deployment + - name: Cloud Kerberos trust deployment href: hello-hybrid-cloud-kerberos-trust.md - - name: Hybrid Azure AD Joined Key Trust + - name: Key trust deployment items: - - name: Hybrid Azure AD Joined Key Trust Deployment + - name: Overview href: hello-hybrid-key-trust.md - name: Prerequisites href: hello-hybrid-key-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-key-new-install.md - - name: Configure Directory Synchronization + - name: Configure directory synchronization href: hello-hybrid-key-trust-dirsync.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-key-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-key-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-key-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-key-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-key-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-key-whfb-settings-pki.md + - name: Configure Group Policy settings + href: hello-hybrid-key-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-key-whfb-provision.md - - name: Hybrid Azure AD Joined Certificate Trust + - name: On-premises SSO for Azure AD joined devices + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for on-premises SSO + href: hello-hybrid-aadj-sso-base.md + - name: Certificate trust deployment items: - - name: Hybrid Azure AD Joined Certificate Trust Deployment + - name: Overview href: hello-hybrid-cert-trust.md - name: Prerequisites href: hello-hybrid-cert-trust-prereqs.md - - name: New Installation Baseline + - name: New installation baseline href: hello-hybrid-cert-new-install.md - - name: Configure Azure Device Registration + - name: Configure Azure AD device registration href: hello-hybrid-cert-trust-devreg.md - name: Configure Windows Hello for Business settings - href: hello-hybrid-cert-whfb-settings.md - - name: Sign-in and Provisioning + items: + - name: Overview + href: hello-hybrid-cert-whfb-settings.md + - name: Configure Active Directory + href: hello-hybrid-cert-whfb-settings-ad.md + - name: Configure Azure AD Connect Sync + href: hello-hybrid-cert-whfb-settings-dir-sync.md + - name: Configure PKI + href: hello-hybrid-cert-whfb-settings-pki.md + - name: Configure AD FS + href: hello-hybrid-cert-whfb-settings-adfs.md + - name: Configure Group Policy settings + href: hello-hybrid-cert-whfb-settings-policy.md + - name: Sign-in and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md - - name: On-premises SSO for Azure AD Joined Devices - items: - - name: On-premises SSO for Azure AD Joined Devices Deployment + - name: On-premises SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md - - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + - name: Configure Azure AD joined devices for on-premises SSO href: hello-hybrid-aadj-sso-base.md - - name: Using Certificates for AADJ On-premises Single-sign On + - name: Using certificates for on-premises SSO href: hello-hybrid-aadj-sso-cert.md - - name: On-premises Key Trust + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: On-premises deployments + items: + - name: Key trust deployment items: - - name: On-premises Key Trust Deployment + - name: Overview href: hello-deployment-key-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-key-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-key-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and deploy Active Directory Federation Services (AD FS) href: hello-key-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-key-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-key-trust-policy-settings.md - - name: On-premises Certificate Trust + - name: Certificate trust deployment items: - - name: On-premises Certificate Trust Deployment + - name: Overview href: hello-deployment-cert-trust.md - - name: Validate Active Directory Prerequisites + - name: Validate Active Directory prerequisites href: hello-cert-trust-validate-ad-prereq.md - - name: Validate and Configure Public Key Infrastructure + - name: Validate and configure Public Key Infrastructure (PKI) href: hello-cert-trust-validate-pki.md - - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + - name: Prepare and Deploy Active Directory Federation Services (AD FS) href: hello-cert-trust-adfs.md - - name: Validate and Deploy Multi-factor Authentication (MFA) Services + - name: Validate and deploy multi-factor authentication (MFA) services href: hello-cert-trust-validate-deploy-mfa.md - name: Configure Windows Hello for Business policy settings href: hello-cert-trust-policy-settings.md - - name: Azure AD join cloud only deployment - href: hello-aad-join-cloud-only-deploy.md - - name: Managing Windows Hello for Business in your organization - href: hello-manage-in-organization.md - - name: Deploying Certificates to Key Trust Users to Enable RDP - href: hello-deployment-rdp-certs.md - - name: Windows Hello for Business Features - items: - - name: Conditional Access - href: hello-feature-conditional-access.md - - name: PIN Reset - href: hello-feature-pin-reset.md - - name: Dual Enrollment - href: hello-feature-dual-enrollment.md - - name: Dynamic Lock - href: hello-feature-dynamic-lock.md - - name: Multi-factor Unlock - href: feature-multifactor-unlock.md - - name: Remote Desktop - href: hello-feature-remote-desktop.md - - name: Troubleshooting - items: - - name: Known Deployment Issues - href: hello-deployment-issues.md - - name: Errors During PIN Creation - href: hello-errors-during-pin-creation.md - - name: Event ID 300 - Windows Hello successfully created - href: hello-event-300.md - - name: Windows Hello and password changes - href: hello-and-password-changes.md + - name: Planning for Domain Controller load + href: hello-adequate-domain-controllers.md + - name: Deploy certificates for remote desktop (RDP) sign-in + href: hello-deployment-rdp-certs.md +- name: How-to Guides + items: + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Manage Windows Hello for Business in your organization + href: hello-manage-in-organization.md +- name: Windows Hello for Business features + items: + - name: Conditional access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote desktop (RDP) sign-in + href: hello-feature-remote-desktop.md +- name: Troubleshooting + items: + - name: Known deployment issues + href: hello-deployment-issues.md + - name: Errors during PIN creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md - name: Reference items: - - name: Technology and Terminology + - name: How Windows Hello for Business provisioning works + href: hello-how-it-works-provisioning.md + - name: How Windows Hello for Business authentication works + href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md + - name: Technology and terminology href: hello-how-it-works-technology.md - name: Frequently Asked Questions (FAQ) href: hello-faq.yml - name: Windows Hello for Business videos href: hello-videos.md + diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index afac158d28..534fddf6ee 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -1,19 +1,10 @@ --- title: WebAuthn APIs description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.reviewer: prsriva -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium ms.date: 09/15/2022 appliesto: - - ✅ Windows 10 - - ✅ Windows 11 -ms.technology: itpro-security +- ✅ Windows 10 and later +ms.topic: article --- # WebAuthn APIs for passwordless authentication on Windows diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md new file mode 100644 index 0000000000..c40ed1027c --- /dev/null +++ b/windows/security/includes/hello-cloud.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md new file mode 100644 index 0000000000..e80912d8b9 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md new file mode 100644 index 0000000000..4ef97bd233 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md new file mode 100644 index 0000000000..77a897f264 --- /dev/null +++ b/windows/security/includes/hello-hybrid-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md new file mode 100644 index 0000000000..4f68be791b --- /dev/null +++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md new file mode 100644 index 0000000000..68521a5a14 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust-ad.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md new file mode 100644 index 0000000000..fdb7466014 --- /dev/null +++ b/windows/security/includes/hello-hybrid-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join) + +
+ +--- diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md new file mode 100644 index 0000000000..a8d82200d3 --- /dev/null +++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md @@ -0,0 +1,7 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join) +
+ +--- diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md new file mode 100644 index 0000000000..2cc01ac3ac --- /dev/null +++ b/windows/security/includes/hello-on-premises-cert-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\ +✅ **Device registration type:** Active Directory domain join + +
+ +--- diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md new file mode 100644 index 0000000000..cd6241fa72 --- /dev/null +++ b/windows/security/includes/hello-on-premises-key-trust.md @@ -0,0 +1,8 @@ +This document describes Windows Hello for Business functionalities or scenarios that apply to:\ +✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\ +✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\ +✅ **Device registration type:** Active Directory domain join + +
+ +--- diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml index 715efe3b61..6b2f45605c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index 114aaf78b1..37e6318217 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -4,7 +4,8 @@ metadata: description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 6e5641e175..353a01de5b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -4,7 +4,8 @@ metadata: description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml index 4ab3545f1c..ed40610b48 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker Key Management FAQ (Windows 10) description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index a9ce4e3c24..697e19e565 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -2,7 +2,8 @@ metadata: title: BitLocker Network Unlock FAQ (Windows 10) description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 523a647b0c..cb38246cbc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker overview and requirements FAQ (Windows 10) description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml index 6a6cdc9974..e9cb42a381 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -3,8 +3,8 @@ metadata: title: BitLocker Security FAQ (Windows 10) description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml index a1532c98f9..1045a942fe 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml @@ -3,9 +3,9 @@ metadata: title: BitLocker To Go FAQ (Windows 10) description: "Learn more about BitLocker To Go" ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: + ms.prod: windows-client + ms.technology: itpro-security ms.author: frankroj - ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml index f0557ad08a..ea7c705f38 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -2,7 +2,8 @@ metadata: title: BitLocker Upgrading FAQ (Windows 10) description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml index 8d97492f5a..e688d0fd10 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -3,8 +3,8 @@ metadata: title: Using BitLocker with other programs FAQ (Windows 10) description: Learn how to integrate BitLocker with other software on a device. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee - ms.reviewer: - ms.prod: m365-security + ms.prod: windows-client + ms.technology: itpro-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 3de0d6acc5..2416040af7 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -14,7 +14,7 @@ ms.author: vinpa ms.technology: itpro-security --- -# 4688(S): A new process has been created. +# 4688(S): A new process has been created. (Windows 10) Event 4688 illustration diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 314595bed9..b322223819 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a ### Enable HVCI using Intune -Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). ### Enable HVCI using Group Policy @@ -204,9 +204,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` -> [!NOTE] -> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11. - > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7118a806da..e9a396f602 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -2,17 +2,17 @@ metadata: title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. - ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium - author: denisebmsft - ms.author: deniseb + ms.prod: windows-client + ms.technology: itpro-security + author: vinaypamnani-msft + ms.author: vinpa ms.reviewer: manager: aaroncz ms.custom: asr - ms.technology: windows-sec ms.topic: faq title: Frequently asked questions - Microsoft Defender Application Guard summary: | diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 4c6c5ddd2d..39110f95c1 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Possible values -- A user-defined number of minutes from 0 through 99,999 +- A user-defined number of minutes from 0 through 99,999. - For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy. + For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy. - Not defined diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 3781352906..fb87a0fd40 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: -1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. +1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 89e08b0200..f1dfaa8500 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -43,6 +43,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr 4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. + ![Screenshot that shows Copy Paste GPO.](/images/grouppolicy-paste.png) + 5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. 6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png new file mode 100644 index 0000000000..ba2de148f1 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 7f5b3c7832..58fb302ed7 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -229,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd +Download vscode to `downloads` folder and run from `downloads` folder + ```batch REM Download Visual Studio Code -curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe +curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe REM Install and run Visual Studio Code -C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes +C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` ### VSCode.wsb @@ -244,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes C:\SandboxScripts + C:\Users\WDAGUtilityAccount\Downloads\sandbox true C:\CodingProjects + C:\Users\WDAGUtilityAccount\Documents\Projects false - C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd + C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd ``` diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index cbb7d6dbb6..e72a69b1d0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -84,7 +84,7 @@ The following configuration requirements apply to VMs running Windows 11. - Generation: 2 \* - Storage: 64 GB or greater - Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled + - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - General settings: Secure boot capable, virtual TPM enabled - Memory: 4 GB or greater