diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f4483bee95..bf656f4f16 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -762,17 +762,17 @@ }, { "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md", -"redirect_url": "hhttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", +"redirect_url": "hhttps://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview", "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", "redirect_document_id": true }, { @@ -1001,6 +1001,11 @@ "redirect_document_id": false }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table", +"redirect_document_id": true + }, +{ "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table", "redirect_document_id": true @@ -13093,18 +13098,18 @@ }, { "source_path": "windows/keep-secure/windows-defender-smartscreen-available-settings.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", -"redirect_document_id": true +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", +"redirect_document_id": false }, { "source_path": "windows/keep-secure/windows-defender-smartscreen-overview.md", -"redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview", -"redirect_document_id": true +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview", +"redirect_document_id": false }, { "source_path": "windows/keep-secure/windows-defender-smartscreen-set-individual-device.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", -"redirect_document_id": true +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", +"redirect_document_id": false }, { "source_path": "windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md", @@ -15853,7 +15858,23 @@ }, { "source_path": "windows/deployment/deploy-windows-sccm/integrate-configuration-manager-with-mdt.md", -"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager#integrate-configuration-manager-with-mdt", "redirect_document_id": false +"redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager#integrate-configuration-manager-with-mdt", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", +"redirect_document_id": false } ] } diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 91065aa687..35f4b5ac73 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1,12 +1,13 @@ --- author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: 04/23/2020 ms.reviewer: -audience: itpro manager: dansimp +audience: itpro +manager: dansimp ms.prod: edge ms.topic: include --- -[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +[Microsoft browser extension policy](https://docs.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy): +This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**. diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 98ec5c6e06..ddeb2b11b2 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -56,7 +56,7 @@ Make sure that [this list](hololens-offline.md) of endpoints are allowed on your ### Remote Assist Specific Network Requirements 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** +**(Please note, if you don't network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements @@ -73,18 +73,18 @@ Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for a 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) -1. Ensure that your company’s users are in Azure Active Directory (Azure AD). +1. Ensure that your company's users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). 1. We suggest that users who need similar licenses are added to the same group. 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) -1. Ensure that your company’s users (or group of users) are assigned the necessary licenses. +1. Ensure that your company's users (or group of users) are assigned the necessary licenses. Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups). 1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options) -These steps ensure that your company’s users (or a group of users) can add devices. +These steps ensure that your company's users (or a group of users) can add devices. 1. **Option 1:** Give all users permission to join devices to Azure AD. **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > **Set Users may join devices to Azure AD to *All*** @@ -163,7 +163,7 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. Check your app settings 1. Log into your Microsoft Store Business account - 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select "Everyone" or "Specific Groups"** >[!NOTE] >If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**. 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. @@ -171,11 +171,11 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) > [!NOTE] -> You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. +> You can configure different users to have different Kiosk Mode experiences by using "Azure AD" as the "User logon type". However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. ![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png) -For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) +For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) ## Certificates and Authentication diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index c4d1cee1a2..385eed565c 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -88,7 +88,7 @@ Provisioning packages let you set HoloLens configuration through a config file r 1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. ### System voice commands -You can now can access these commands with your voice: +You can now access these commands with your voice: - "Restart device" - "Shutdown device" - "Brightness up" diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 2043128011..482241ea7f 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -1,5 +1,5 @@ --- -title: Set up HoloLens as a kiosk for specific applications +title: Set up HoloLens as a kiosk description: Use a kiosk configuration to lock down the apps on HoloLens. ms.prod: hololens ms.sitesec: library @@ -7,8 +7,9 @@ author: dansimp ms.author: dansimp ms.topic: article ms.localizationpriority: medium -ms.date: 11/13/2018 +ms.date: 04/27/2020 ms.custom: +- CI 115262 - CI 111456 - CSSTroubleshooting ms.reviewer: @@ -18,71 +19,347 @@ appliesto: - HoloLens 2 --- -# Set up HoloLens as a kiosk for specific applications +# Set up HoloLens as a kiosk -In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) +You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo. -When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. +This article provides information about aspects of configuring kiosks that are specific to HoloLens devices. For general information about types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods). -Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. +> [!IMPORTANT] +> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security limitation. It does not stop an "allowed" app from launching an app that is not allowed. In order to block apps or processes from launching, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies. -The following table lists the device capabilities in the different kiosk modes. +You can use kiosk mode in one of two configurations (single-app kiosk or multi-app kiosk), and you can use select one of three processes to set up and deploy the kiosk configuration. -Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast ---- | --- | --- | --- | --- -Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) -Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. +> [!IMPORTANT] +> Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature put in place. However, it does not revert all of the policy changes. To revert these policies, you have to reset the device to the factory settings. -> [!NOTE] -> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. +## Plan the kiosk deployment -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +### Kiosk mode requirements -> [!WARNING] -> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. -> -> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. +You can configure any HoloLens 2 device to use kiosk mode. -For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: -- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. -- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks. -- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. +To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a newer version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, then your device is ready. -For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. +> [!IMPORTANT] +> To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours. -## Start layout for HoloLens +### Decide between a single-app kiosk or a multi-app kiosk -If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. +A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps. -> [!NOTE] -> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. +A multi-app kiosk displays the start menu when the user signs in to the device. The kiosk configuration determines what apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. -### Start layout file for MDM (Intune and others) +The following table lists the feature capabilities in the different kiosk modes. -Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). +|   |Start menu |Quick Actions menu |Camera and video |Miracast |Cortana |Built-in voice commands | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +|Single-app kiosk |Disabled |Disabled |Disabled |Disabled |Disabled |Enabled1 | +|Multi-app kiosk |Enabled |Enabled2 |Available2 |Available2 |Available2, 3 |Enabled1 | -> [!NOTE] -> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). +> 1 Voice commands that relate to disabled features do not function. +> 2 For more information about how to configure these features, see [Select kiosk apps](#plan-kiosk-apps). +> 3 Even if Cortana is disabled, the built-in voice commands are enabled. + +The following table lists the user support features of the different kiosk modes. + +|   |Supported user types | Automatic sign-in | Multiple access levels | +| --- | --- | --- | --- | +|Single-app kiosk |Managed Service Account (MSA) in Azure Active Directory (AAD) or local account |Yes |No | +|Multi-app kiosk |AAD account |No |Yes | + +For examples of how to use these capabilities, see the following table. + +|Use a single-app kiosk for: |Use a multi-app kiosk for: | +| --- | --- | +|A device that runs only a Dynamics 365 Guide for new hires. |A device that runs both Guides and Remote Assistance for a range of employees. | +|A device that runs only a custom app. |A device that functions as a kiosk for the majority of users (running only a custom app), but functions as a normal device for a specific group of users. | + +### Plan kiosk apps + +For general information about selecting kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app). + +If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process. + +If you use an MDM system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk. + +> [!CAUTION] +> You cannot select the Shell app as a kiosk app. In addition, we recommend that you do **not** select the Microsoft Edge, Microsoft Store, or the File Explorer app as kiosk apps. + + + +|App Name |AUMID | +| --- | --- | +|3D Viewer |Microsoft.Microsoft3DViewer\_8wekyb3d8bbwe\!Microsoft.Microsoft3DViewer | +|Calendar |microsoft.windowscommunicationsapps\_8wekyb3d8bbwe\!microsoft.windowslive.calendar | +|Camera1, 2 |HoloCamera\_cw5n1h2txyewy\!HoloCamera | +|Cortana3 |Microsoft.549981C3F5F10\_8wekyb3d8bbwe\!App | +|Device Picker |HoloDevicesFlow\_cw5n1h2txyewy\!HoloDevicesFlow | +|Dynamics 365 Guides |Microsoft.Dynamics365.Guides\_8wekyb3d8bbwe\!MicrosoftGuides | +|Dynamics 365 Remote Assist |Microsoft.MicrosoftRemoteAssist\_8wekyb3d8bbwe\!Microsoft.RemoteAssist | +|Feedback Hub |Microsoft.WindowsFeedbackHub\_8wekyb3d8bbwe\!App | +|Mail |c5e2524a-ea46-4f67-841f-6a9465d9d515\_cw5n1h2txyewy\!App | +|Miracast4 |  | +|Movies & TV |Microsoft.ZuneVideo\_8wekyb3d8bbwe\!Microsoft.ZuneVideo | +|OneDrive |microsoft.microsoftskydrive\_8wekyb3d8bbwe\!App | +|Photos |Microsoft.Windows.Photos\_8wekyb3d8bbwe\!App | +|Settings |HolographicSystemSettings\_cw5n1h2txyewy\!App | +|Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips | + +> 1 To enable photo or video capture, you have to enable the Camera app as a kiosk app. +> 2 When you enable the Camera app, be aware of the following: +> - The Quick Actions menu includes the Photo and Video buttons. +> - You should also enable an app that can interact with or retrieve pictures (such as Photos, Mail, or OneDrive). +> +> 3 Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect. +> 4 To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app. + +### Plan user and device groups + +In an MDM environment, you use groups to manage device configurations and user access. + +The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app (or apps) that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk. + +> [!NOTE] +> The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk. + +Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user that can sign on to the device. This setting produces behavior such as the following. + +- If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device. +- If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time. + +For a full discussion of the effects of assigning configuration profiles in Intune, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-profile-assign). + +> [!NOTE] +> The following examples describe multi-app kiosks. Single-app kiosks behave in a similar manner, but only one user account gets the kiosk experience. + +**Example 1** + +You use a single group (Group 1) for both devices and users. One device and users A, B, and C are members of this group. You configure the kiosk configuration profile as follows: + +- **User logon type**: Group 1 +- **Assigned group**: Group 1 + +No matter which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience. + +**Example 2** + +You contract devices out to two different vendors who need different kiosk experiences. Both vendors have users, and you want all of the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows: + +- Device Group 1: + - Device 1 (Vendor 1) + - Device 2 (Vendor 1) + +- Device Group 2: + - Device 3 (Vendor 2) + - Device 4 (Vendor 2) + +- User Group: + - User A (Vendor 1) + - User B (Vendor 2) + +You create two kiosk configuration profiles that have the following settings: + +- Kiosk Profile 1: + - **User logon type**: User Group + - **Assigned group**: Device Group 1 + +- Kiosk Profile 2: + - **User logon type**: User Group + - **Assigned group**: Device Group 2 + +These configurations produce the following results: + +- When any user signs on to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device. +- When any user signs on to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device. +- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see Vendor 1's kiosk experience. If they sign in to Device 3 or Device 4, they see Vendor 2's kiosk experience. + +#### Profile conflicts + +If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles. + +Other types of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile. + +### Select a deployment method + +You can select one of three methods to deploy kiosk configurations: + +- [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) + +- [Provisioning package](#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) + +- [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk) + + > [!NOTE] + > Because this method requires that developer mode be enabled on the device, we recommend that you use it only for demonstrations. + +The following table lists the capabilities and benefits of each of the three deployment methods. + +|   |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM | +| --------------------------- | ------------- | -------------------- | ---- | +|Deploy single-app kiosks | Yes | Yes | Yes | +|Deploy multi-app kiosks | No | Yes | Yes | +|Deploy to local devices only | Yes | Yes | No | +|Deploy by using developer mode |Required | Not required | Not required | +|Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required | +|Deploy automatically | No | No | Yes | +|Deployment speed | Fastest | Fast | Slow | +|Deploy at scale | Not recommended | Not recommended | Recommended | + +## Use Microsoft Intune or other MDM to set up a single-app or multi-app kiosk + +To set up kiosk mode by using Microsoft Intune or another MDM system, follow these steps. + +1. [Prepare to enroll the devices](#mdmenroll). +1. [Create a kiosk configuration profile](#mdmprofile). +1. Configure the kiosk. + - [Configure the settings for a single-app kiosk](#mdmconfigsingle). + - [Configure the settings for a multi-app kiosk](#mdmconfigmulti). +1. [Assign the kiosk configuration profile to a group](#mdmassign). +1. Deploy the devices. + - [Deploy a single-app kiosk](#mdmsingledeploy). + - [Deploy a multi-app kiosk](#mdmmultideploy). + +### MDM, step 1 – Prepare to enroll the devices + +You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups. + +For more information about enrolling the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods). + +### MDM, step 2 – Create a kiosk configuration profile + +1. Open the [Azure](https://portal.azure.com/) portal and sign in to your Intune administrator account. +1. Select **Microsoft Intune** > **Device configuration - Profiles** > **Create profile**. +1. Enter a profile name. +1. Select **Platform** > **Windows 10 and later**, and then select **Profile type** >**Device restrictions**. +1. Select **Configure** > **Kiosk**, and then select one of the following: + - To create a single-app kiosk, select **Kiosk Mode** > **Single-app kiosk**. + - To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**. +1. To start configuring the kiosk, select **Add**. + +Your next steps differ depending on the type of kiosk that you want. For further information, select one of the following: + +- [Single-app kiosk](#mdmconfigsingle) +- [Multi-app kiosk](#mdmconfigmulti) + +For more information about creating a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings). + +### MDM, step 3 (single-app) – Configure the settings for a single-app kiosk + +This section summarizes the settings that a single-app kiosk requires. For more detailed information, see the following articles: + +- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +- For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks) +- For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). + +1. Select **User logon type** > **Local user account**, and enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk. + > [!NOTE] + > **Autologon** user account types aren't supported on Windows Holographic for Business. +1. Select **Application type** > **Store app**, and then select an app from the list. + +Your next step is to [assign](#mdmassign) the profile to a group. + +### MDM, step 3 (multi-app) – Configure the settings for a multi-app kiosk + +This section summarizes the settings that a multi-app kiosk requires. For more detailed information, see the following articles: + +- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +- For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks) +- For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens). +- You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). + +1. Select **Target Windows 10 in S mode devices** > **No**. + >[!NOTE] + > S mode isn't supported on Windows Holographic for Business. +1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts. + + Only users that belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience. + +1. Select one or more apps by using the following options: + - To add an uploaded line-of-business app, select **Add store app** and then select the app you want. + - To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids) + +Your next step is to [assign](#mdmassign) the profile to a group. + +### MDM, step 4 – Assign the kiosk configuration profile to a group + +Use the **Assignments** page of the kiosk configuration profile to set where you want the kiosk configuration to deploy. In the simplest case, you assign the kiosk configuration profile to a group that will contain the HoloLens device when the device enrolls in MDM. + +### MDM, step 5 (single-app) – Deploy a single-app kiosk + +When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, device sign-in is easy. + +During OOBE, follow these steps: + +1. Sign in by using the account that you specified in the kiosk configuration profile. +1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to. +1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device. + +The next time you sign in to the device, the kiosk app should automatically launch. + +If you're not seeing your Kiosk mode yet, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). + +### MDM, step 5 (multi-app) – Deploy a multi-app kiosk + +When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the information that's required for enrollment to the users for the OOBE process. + +> [!NOTE] +> If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device. + +During OOBE, follow these steps: + +1. Sign in by using the account that belongs to the **User logon type** group. +1. Enroll the device. +1. Wait for any apps that are part of the kiosk configuration profile to download and install, and for policies to be applied. +1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically. +1. When finished, restart the device. + +The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch. + +If you're not seeing your Kiosk mode yet, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor). + +## Use a provisioning package to set up a single-app or multi-app kiosk + +To set up kiosk mode by using a provisioning package, follow these steps. + +1. [Create an XML file that defines the kiosk configuration.](#ppkioskconfig), including a [Start layout](#start-layout-for-hololens). +2. [Add the XML file to a provisioning package.](#ppconfigadd) +3. [Apply the provisioning package to HoloLens.](#ppapply) + +### Prov. package, step 1 – Create a kiosk configuration XML file + +Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), except for the following: + +- Do not include Classic Windows applications (Win32). HoloLens does not support these applications. +- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens. +- Optional: Add guest access to the kiosk configuration + +#### Optional: Add guest access to the kiosk configuration + +In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. + +To enable the **Guest** account, add the following snippet to your kiosk configuration XML: ```xml - - - - - - - - - + + + + + + ``` -### Start layout for a provisioning package +#### Start layout for HoloLens -You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. +If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business, so you'll need to use a placeholder Start layout. + +> [!NOTE] +> Because a single-app kiosk launches the kiosk app when a user signs in, it does not use a Start menu and does not need a Start layout. + +> [!NOTE] +> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others). + +For the Start layout, add the following **StartLayout** section to the kiosk provisioning XML file: ```xml @@ -104,114 +381,92 @@ You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-wi ``` -## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) +#### Start layout file for MDM (Intune and others) -For HoloLens devices that are managed by Microsoft Intune, directions can be found [here](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). +Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). -For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. - -## Set up kiosk mode using a provisioning package (Windows 10, version 1803) - -Process: -1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file) -2. [Add the XML file to a provisioning package.](#add-the-kiosk-configuration-xml-file-to-a-provisioning-package) -3. [Apply the provisioning package to HoloLens.](#apply-the-provisioning-package-to-hololens) - -### Create a kiosk configuration XML file - -Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions: - -- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens. -- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens. - -#### Add guest access to the kiosk configuration (optional) - -In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. - -Use the following snippet in your kiosk configuration XML to enable the **Guest** account: +> [!NOTE] +> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens). ```xml - - - - - - + + + + + + + + + ``` -### Add the kiosk configuration XML file to a provisioning package +### Prov. package, step 2 – Add the kiosk configuration XML file to a provisioning package 1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22). -2. Choose **Advanced provisioning**. -3. Name your project, and click **Next**. -4. Choose **Windows 10 Holographic** and click **Next**. -5. Select **Finish**. The workspace for your package opens. -6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. -7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created. +1. Select **Advanced provisioning**, enter a name for your project, and then select **Next**. +1. Select **Windows 10 Holographic**, and then select **Next**. +1. Select **Finish**. The workspace for your package opens. +1. Select **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**. +1. In the center pane, select **Browse** to locate and select the kiosk configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](./images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. -10. On the **File** menu, select **Save.** -11. On the **Export** menu, select **Provisioning package**. -12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +1. **Optional**. (If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a user account. Provide a user name and password, and then select **UserGroup** > **Administrators**. + + By using this account, you can view the provisioning status and logs. +1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** > **Accounts** > **Users**, and then create a local user account. Make sure the user name is the same as the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**. +1. Select **File** > **Save**. +1. Select **Export** > **Provisioning package**, and then select **Owner** > **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages that are applied to this device from other sources. +1. Select **Next**. +1. On the **Provisioning package security** page, select a security option. + > [!IMPORTANT] + > If you select **Enable package signing**, you also have to select a valid certificate to use for signing the package. To do this, select **Browse** and select the certificate that you want to use to sign the package. + + > [!CAUTION] + > Do not select **Enable package encryption**. On HoloLens devices, this setting causes provisioning to fail. +1. Select **Next**. +1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When finished, select **Next**. +1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The build page displays the project information, and the progress bar indicates the build status. -13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing. +### Prov. package, step 3 – Apply the provisioning package to HoloLens - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. +The "Configure HoloLens by using a provisioning package" article provides detailed instructions for applying the provisioning package under the following circumstances: -14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. +- You can initially [apply a provisioning package to HoloLens during setup](hololens-provisioning.md#apply-a-provisioning-package-to-hololens-during-setup). -15. Click **Next**. +- You can also [apply a provisioning package to HoloLens after setup](hololens-provisioning.md#4-apply-a-provisioning-package-to-hololens-after-setup). -16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +## Use the Windows Device Portal to set up a single-app kiosk +To set up kiosk mode by using the Windows Device Portal, follow these steps. + +> [!IMPORTANT] +> Kiosk mode is only available if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed. + +1. [Set up the HoloLens device to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. + + > [!CAUTION] + > When you set up HoloLens to use the Device Portal, you have to enable **Developer Mode** on the device. **Developer Mode** on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) -### Apply the provisioning package to HoloLens +1. On a computer, connect to the HoloLens by using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_usb). -1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). - -3. HoloLens will show up as a device in File Explorer on the PC. - -4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. - -5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page. - -6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. - -7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE. - - -## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) - -1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. - - > [!IMPORTANT] - > When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode) - -2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb). - -3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up. +1. Do one of the following: + - If you are connecting to the Windows Device Portal for the first time, [create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#creating_a_username_and_password) + - Enter the user name and password that you previously set up. > [!TIP] - > If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate). + > If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#security_certificate). -4. In the Windows Device Portal, click **Kiosk Mode**. +1. In the Windows Device Portal, select **Kiosk Mode**. + +1. Select **Enable Kiosk Mode**, select an app to run when the device starts, and then select **Save**. ![Kiosk Mode](images/kiosk.png) - - > [!NOTE] - > The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). - -5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**. - -## Kiosk app recommendations - -- You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. -- We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. -- You can select Cortana as a kiosk app. -- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. +1. Restart HoloLens. If you still have your Device Portal page open, you can select select **Restart** at the top of the page. ## More information diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 5eea91fcbe..6484efeabd 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -33,7 +33,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package - Set up a Wi-Fi connection - Apply certificates to the device - Enable Developer Mode -- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803). +- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk). ## Provisioning package HoloLens wizard @@ -49,7 +49,7 @@ The HoloLens wizard helps you configure the following settings in a provisioning - Enroll the device in Azure Active Directory, or create a local account - Add certificates - Enable Developer Mode -- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) +- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)). > [!WARNING] > You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index 60d46d7e1c..ffe2dd9653 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -7,7 +7,7 @@ ms.prod: hololens ms.sitesec: library author: mattzmsft ms.author: mazeller -ms.date: 08/30/2019 +ms.date: 04/27/2020 ms.custom: - CI 111456 - CSSTroubleshooting @@ -82,7 +82,7 @@ If you're still having problems, press the power button for 4 seconds, until all If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings. -If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). +If you reset your device, all your personal data, apps, and settings will be erased, including TPM reset. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). 1. Launch the Settings app, and then select **Update** > **Reset**. 1. Select the **Reset device** option and read the confirmation message. @@ -100,7 +100,7 @@ All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu) ### HoloLens 2 -The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. +The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. Advanced Recovery Companion erases all your personal data, apps, and settings, and resets TPM. 1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store. 2. Connect HoloLens 2 to your computer. @@ -109,6 +109,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper 5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.) 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device. +#### Manual flashing mode + > [!TIP] > In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: @@ -117,6 +119,31 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper 1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. 1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. +#### Downloading ARC without using the app store + +If an IT environment prevents the use of the Windows Store app or limits access to the retail store, IT administrators can make this app available through other ‘offline’ deployment paths. + +This deployment path can be enabled with the following steps: +1. Go to the [Store For Business website](https://businessstore.microsoft.com) and sign-in with an Azure AD identity. +1. Go to **Manage – Settings**, and turn on **Show offline apps** under **Shopping experience** as described at https://businessstore.microsoft.com/manage/settings/shop +1. Go to **shop for my group** and search for the [Advanced Recovery Companion](https://businessstore.microsoft.com/store/details/advanced-recovery-companion/9P74Z35SFRS8) app. +1. Change the **License Type** box to offline and click **Manage**. +1. Under Download the package for offline use click the second blue **“Download”** button . Ensure the file extension is .appxbundle. +1. At this stage, if the Desktop PC has Internet access, simply double click and install. +1. The IT administrator can also distribute this app through System Center Configuration Manager (SCCM) or Intune. +1. If the target PC has no Internet connectivity, some additional steps are needed: + 1. Select the unencoded license and click **“Generate license”** and under **“Required Frameworks”** click **“Download.”** + 1. PCs without internet access will need to use DISM to apply the package with the dependency and license. In an administrator command prompt, type: + + ```console + C:\WINDOWS\system32>dism /online /Add-ProvisionedAppxPackage /PackagePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_1.19050.1301.0_neutral_~_8wekyb3d8bbwe.appxbundle" /DependencyPackagePath:"C:\ARCoffline\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x86__8wekyb3d8bbwe.appx" /LicensePath:"C:\ARCoffline\Microsoft.AdvancedRecoveryCompanion_8wekyb3d8bbwe_f72ce112-dd2e-d771-8827-9cbcbf89f8b5.xml" /Region:all + ``` + +Other resources: +- https://docs.microsoft.com/microsoft-store/distribute-offline-apps +- https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-app-package--appx-or-appxbundle--servicing-command-line-options + + ### HoloLens (1st gen) If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool. diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 6cfcb281b0..c8be6947ae 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -66,7 +66,7 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m **How to Configure Kiosk Mode:** -There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. +There are two main ways ([provisioning packages](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) and [MDM](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. ### Apps and App Specific Scenarios diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md index 2bb6381924..5ef43af85c 100644 --- a/devices/surface-hub/miracast-over-infrastructure.md +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -6,13 +6,13 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 06/20/2019 +ms.date: 04/24/2020 ms.reviewer: manager: laurawi ms.localizationpriority: medium --- -# Miracast on existing wireless network or LAN +# Miracast over infrastructure In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). @@ -28,7 +28,12 @@ Miracast over Infrastructure offers a number of benefits: ## How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver through their Wi-Fi adapter as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +> [!NOTE] +> For more information on the connection negotiation sequence, see [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx) + + ## Enabling Miracast over Infrastructure @@ -36,13 +41,19 @@ Users attempt to connect to a Miracast receiver as they did previously. When the If you have a Surface Hub or other Windows 10 device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - The Surface Hub or device (Windows PC or phone) needs to be running Windows 10, version 1703. +- Open TCP port: **7250**. - A Surface Hub or Windows PC can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - As a Miracast receiver, the Surface Hub or device must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Surface Hub or device is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled in System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests that only occur through the Wi-Fi adapter. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. The **InBoxApps/WirelessProjection/PinRequired** setting in the [SurfaceHub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) is not required for Miracast over Infrastructure. This is because Miracast over Infrastructure only works when both devices are connected to the same enterprise network. This removes the security restriction that was previously missing from Miracast. We recommend that you continue using this setting (if you used it previously) as Miracast will fall back to regular Miracast if the infrastructure connection does not work. + +## FAQ +**Why do I still need Wi-Fi to use Miracast over infrastructure?**
+Discovery requests to identify Miracast receivers can only occur through the Wi-Fi adapter. Once the receivers have been identified, Windows 10 can then attempt the connection to the network. diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index a12b2f2dc4..47f14939db 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -13,6 +13,7 @@ ms.localizationpriority: medium ms.audience: itpro ms.reviewer: manager: laurawi +ms.date: 04/24/2020 --- # Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit @@ -27,779 +28,8 @@ manager: laurawi - Surface 3 - Windows 10 -This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app. - > [!NOTE] -> MDT is not currently supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - -When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies. - -By following the procedures in this article, you can create an up-to-date reference image and deploy this image to your Surface devices, a process known as *reimaging*. Reimaging will erase and overwrite the existing environment on your Surface devices. This process allows you to rapidly configure your Surface devices with identical environments that can be configured to precisely fit your organization’s requirements. - -An alternative to the reimaging process is an upgrade process. The upgrade process is non-destructive and instead of erasing the existing environment on your Surface device, it allows you to install Windows 10 while retaining your user data, applications, and settings. You can read about how to manage and automate the upgrade process of Surface devices to Windows 10 at [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md). - -The goal of the deployment process presented in this article is automation. By leveraging the many technologies and tools available from Microsoft, you can create a process that requires only a single touch on the devices being deployed. The automation can load the deployment environment; format the device; prepare an updated Windows image with the drivers required for the device; apply that image to the device; configure the Windows environment with licensing, membership in a domain, and user accounts; install applications; apply any Windows updates that were not included in the reference image; and log out. - -By automating each aspect of the deployment process, you not only greatly decrease the effort involved, but you create a process that can be easily repeated and where human error becomes less of a factor. Take for example a scenario where you create a reference image for the device manually, but you accidentally install conflicting applications and cause the image to become unstable. In this scenario you have no choice but to begin again the manual process of creating your image. If in this same scenario you had automated the reference image creation process, you could repair the conflict by simply editing a step in the task sequence and then re-running the task sequence. - -## Deployment tools - -The deployment process described in this article leverages a number of Microsoft deployment tools and technologies. Some of these tools and technologies are included in Windows client and Windows Server, such as Hyper-V and Windows Deployment Services (WDS), while others are available as free downloads from the [Microsoft Download Center](https://www.microsoft.com/download/windows.aspx). - -#### Microsoft Deployment Toolkit - -The Microsoft Deployment Toolkit (MDT) is the primary component of a Windows deployment. It serves as a unified interface for most of the Microsoft deployment tools and technologies, such as the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), User State Migration Tool (USMT), and many other tools and technologies. Each of these is discussed throughout this article. The unified interface, called the *Deployment Workbench*, facilitates automation of the deployment process through a series of stored deployment procedures, known as a *task sequence*. Along with these task sequences and the many scripts and tools that MDT provides, the resources for a Windows deployment (driver files, application installation files, and image files) are stored in a network share known as the *deployment share*. - -You can download and find out more about MDT at [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). - -#### Windows Assessment and Deployment Kit - -Although MDT is the tool you will interact with most during the deployment process, the deployment tools found in the Windows ADK perform most of the deployment tasks during the deployment process. The resources for deployment are held within the MDT deployment share, but it is the collection of tools included in Windows ADK that access the image files, stage drivers and Windows updates, run the deployment experience, provide instructions to Windows Setup, and back up and restore user data. - -You can download and find out more about the Windows ADK at [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk). - -#### Windows 10 installation media - -Before you can perform a deployment with MDT, you must first supply a set of operating system installation files and an operating system image. These files and image can be found on the physical installation media (DVD) for Windows 10. You can also find these files in the disk image (ISO file) for Windows 10, which you can download from the [Volume Licensing Service Center (VLSC)](https://www.microsoft.com/Licensing/servicecenter/default.aspx). - - ->[!NOTE] ->The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT. - - -#### Windows Server - -Although MDT can be installed on a Windows client, to take full advantage of Windows Deployment Services’ ability to network boot, a full Windows Server environment is recommended. To provide network boot for UEFI devices like Surface with WDS, you will need Windows Server 2008 R2 or later. - - ->[!NOTE] ->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter). - - -#### Windows Deployment Services - -Windows Deployment Services (WDS) is leveraged to facilitate network boot capabilities provided by the Preboot Execution Environment (PXE) server. The boot media generated by MDT is loaded onto the Surface device simply by pressing Enter at the prompt when the device attempts to boot from the attached network adapter or Surface Dock. - -#### Hyper-V virtualization platform - -The process of creating a reference image should always be performed in a virtual environment. When you use a virtual machine as the platform to build your reference image, you eliminate the need for installation of additional drivers. The drivers for a Hyper-V virtual machine are included by default in the factory Windows 10 image. When you avoid the installation of additional drivers – especially complex drivers that include application components like control panel applications – you ensure that the image created by your reference image process will be as universally compatible as possible. - ->[!NOTE] ->A Generation 1 virtual machine is recommended for the preparation of a reference image in a Hyper-V virtual environment. - -Because customizations are performed by MDT at the time of deployment, the goal of reference image creation is not to perform customization but to increase performance during deployment by reducing the number of actions that need to occur on each deployed device. The biggest action that can slow down an MDT deployment is the installation of Windows updates. When MDT performs this step during the deployment process, it downloads the updates on each deployed device and installs them. By installing Windows updates in your reference image, the updates are already installed when the image is deployed to the device and the MDT update process only needs to install updates that are new since the image was created or are applicable to products other than Windows (for example, Microsoft Office updates). - - ->[!NOTE] ->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center. - - -#### Surface firmware and drivers - -For your deployed Windows environment to function correctly on your Surface devices, you will need to install the drivers used by Windows to communicate with the components of your device. These drivers are available for download in the Microsoft Download Center for each Surface device. You can find the correct Microsoft Download Center page for your device at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -When you browse to the specific Microsoft Download Center page for your device, you will find a Windows Installer (.msi) file. This file is used to update drivers on devices that are already running Windows or that have device management solutions. Firmware updates maintain the instructions used by the device hardware to communicate between components and Windows. The firmware of Surface device components is updated by installation of specific driver files and thus is installed along with the other drivers during deployment. For more information, see [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). - ->[!NOTE] ->Beginning in Windows 10, the drivers for Surface devices are included in the Windows Preinstallation Environment (WinPE). In earlier versions of Windows, specific drivers (like network drivers) had to be imported and configured in MDT for use in WinPE to successfully deploy to Surface devices. - -#### Application installation files - -In addition to the drivers that are used by Windows to communicate with the Surface device’s hardware and components, you will also need to provide the installation files for any applications that you want to install on your deployed Surface devices. To automate the deployment of an application, you will also need to determine the command-line instructions for that application to perform a silent installation. In this article, the Surface app and Microsoft Office 365 will be installed as examples of application installation. The application installation process can be used with any application with installation files that can be launched from command line. - ->[!NOTE] ->If the application files for your application are stored on your organization’s network and will be accessible from your Surface devices during the deployment process, you can deploy that application directly from that network location. To use installation files from a network location, use the **Install Application Without Source Files or Elsewhere on the Network** option in the MDT New Application Wizard, which is described in the [Import applications](#import-applications) section later in this article. - -#### Microsoft Surface Deployment Accelerator - -If you want to deploy only to Surface devices or you want an accelerated method to perform deployment to Surface devices, you can use the Microsoft Surface Deployment Accelerator to generate an MDT deployment share complete with Surface device drivers, Surface apps, and pre-configured task sequences to create a reference image and perform deployment to Surface devices. Microsoft Surface Deployment Accelerator can automatically import boot images into WDS and prepare WDS for network boot (PXE). You can download the Microsoft Surface Deployment Accelerator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. - -### Install the deployment tools - -Before you can configure the deployment environment with Windows images, drivers, and applications, you must first install the deployment tools that will be used throughout the deployment process. The three main tools to be installed are WDS, Windows ADK, and MDT. WDS provides the capacity for network boot, Windows ADK provides several deployment tools that perform specific deployment tasks, and MDT provides automation and a central interface from which to manage and control the deployment process. - -To boot from the network with either your reference virtual machines or your Surface devices, your deployment environment must include a Windows Server environment. The Windows Server environment is required to install WDS and the WDS PXE server. Without PXE support, you will be required to create physical boot media, such as a USB stick to perform your deployment – MDT and Windows ADK will still be required, but Windows Server is not required. Both MDT and Windows ADK can be installed on a Windows client and perform a Windows deployment. - ->[!NOTE] ->To download deployment tools directly to Windows Server, you must disable [Internet Explorer Enhanced Security Configuration](https://technet.microsoft.com/library/dd883248). On Windows Server 2012 R2, this can be performed directly through the **Server Manager** option on the **Local Server** tab. In the **Properties** section, **IE Enhanced Security Configuration** can be found on the right side. You may also need to enable the **File Download** option for the **Internet** zone through the **Security** tab of **Internet Options**. - -#### Install Windows Deployment Services - -Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services. - -![Install the Windows Deployment Services role](images/surface-deploymdt-fig1.png "Install the Windows Deployment Services role") - -*Figure 1. Install the Windows Deployment Services server role* - -After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2. - -![Configure PXE response for Windows Deployment Services](images/surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services") - -*Figure 2. Configure PXE response for Windows Deployment Services* - ->[!NOTE] ->Before you configure WDS make sure you have a local NTFS volume that is not your system drive (C:) available for use with WDS. This volume is used to store WDS boot images, deployment images, and configuration. - -Using the Windows Deployment Services Configuration Wizard, configure WDS to fit the needs of your organization. You can find detailed instructions for the installation and configuration of WDS at [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426). On the **PXE Server Initial Settings** page, be sure to configure WDS so that it will respond to your Surface devices when they attempt to boot from the network. If you have already installed WDS or need to change your PXE server response settings, you can do so on the **PXE Response** tab of the **Properties** of your server in the Windows Deployment Services Management Console. - ->[!NOTE] ->You will add boot images to WDS when you update your boot images in MDT. You do not need to add boot images or Windows images to WDS when you configure the role. - -#### Install Windows Assessment and Deployment Kit - -To install Windows ADK, run the Adksetup.exe file that you downloaded from [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#adkwin10). Windows ADK must be installed before MDT. You should always download and use the most recent version of Windows ADK. A new version is usually released corresponding with each new version of Windows. - ->[!NOTE] ->You can also use the Adksetup.exe file to download the Windows ADK installation files locally for use on other devices. - -When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. - -![Required options for deployment with MDT](images/surface-deploymdt-fig3.png "Required options for deployment with MDT") - -*Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT* - -#### Install Microsoft Deployment Toolkit - -After the Windows ADK installation completes successfully, you can install MDT. When you download MDT, ensure that you download the version that matches the architecture of your deployment server environment. For Windows Server the architecture is 64-bit. Download the MDT installation file that ends in **x64**. When MDT is installed you can use the default options during the installation wizard, as shown in Figure 4. - -![MDT installation with default options](images/surface-deploymdt-fig4.png "MDT installation with default options") - -*Figure 4. Install the Microsoft Deployment Toolkit with default options* - -Before you can open the MDT Deployment Workbench, you must enable execution of scripts in PowerShell. If you do not do this, the following error message may be displayed: *"Initialization Error PowerShell is required to use the Deployment Workbench. Please install PowerShell then relaunch Deployment Workbench."* - -To enable the execution of scripts, run the following cmdlet in PowerShell as an Administrator: - - `Set-ExecutionPolicy RemoteSigned -Scope CurrentUser` - -## Create a reference image - -Now that you have installed the required tools, you can begin the first step of customizing your deployment environment to your needs – create a reference image. Because the reference image should be created in a virtual machine where there is no need for drivers to be installed, and because the reference image will not include applications, you can use the MDT deployment environment almost entirely with default settings. - -### Create a deployment share - -Now that you have the tools installed, the next step is to configure MDT for the creation of a reference image. Before you can perform the process of creating a reference image, MDT needs to be set up with a repository for scripts, images, and other deployment resources. This repository is known as the *deployment share*. After the deployment share is created, you must supply MDT with a complete set of Windows 10 installation files, the last set of tools required before MDT can perform reference image creation. - -To create the deployment share, follow these steps: - -1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5. - - ![The MDT Deployment Workbench](images/surface-deploymdt-fig5.png "The MDT Deployment Workbench") - - *Figure 5. The MDT Deployment Workbench* - -2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6. - - ![Summary page of the New Deployment Share Wizard](images/surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard") - - *Figure 6. The Summary page of the New Deployment Share Wizard* - -3. Create a new deployment share with New Deployment Share Wizard with the following steps: - - * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**. - - >[!NOTE] - >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume. - - * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**. - - >[!NOTE] - >The share name cannot contain spaces. - - >[!NOTE] - >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer. - - * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench. - * **Options** – You can accept the default options on this page. Click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share. - * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process. - * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard. - -4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share. -5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored. - -To secure the deployment share and prevent unauthorized access to the deployment resources, you can create a local user on the deployment share host and configure permissions for that user to have read-only access to the deployment share only. It is especially important to secure access to the deployment share if you intend to automate the logon to the deployment share during the deployment boot process. By automating the logon to the deployment share during the boot of deployment media, the credentials for that logon are stored in plaintext in the bootstrap.ini file on the boot media. - ->[!NOTE] ->If you intend to capture images (such as the reference image) with this user, the user must also have write permission on the Captures folder in the MDT deployment share. - -You now have an empty deployment share that is ready for you to add the resources that will be required for reference image creation and deployment to Surface devices. - -### Import Windows installation files - -The first resources that are required to perform a deployment of Windows are the installation files from Windows 10 installation media. Even if you have an already prepared reference image, you still need to supply the unaltered installation files from your installation media. The source of these files can be a physical disk, or it can be an ISO file like the download from the Volume Licensing Service Center (VLSC). - ->[!NOTE] ->A 64-bit operating system is required for compatibility with Surface devices except Surface Pro X which cannot be managed with MDT. - -To import Windows 10 installation files, follow these steps: - -1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7. - - ![Create a new folder on the New Folder page](images/surface-deploymdt-fig7.png "Create a new folder on the New Folder page") - - *Figure 7. Create a new folder on the New Folder page* - -2. On the **New Folder** page a series of steps is displayed, as follows: - * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**. - * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**. - * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly. - * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page. -3. Expand the Operating Systems folder to see the newly created folder. -4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8. - - ![Import source files with the Import Operating System Wizard](images/surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard") - - *Figure 8. Import source files with the Import Operating System Wizard* - -5. The Import Operating System Wizard walks you through the import of your operating system files, as follows: - * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**. - * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**. - * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the installation files are imported, a progress bar is displayed on this page. - * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard. -6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10. - -Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications. - -### Create reference image task sequence - -As described in the [Deployment tools](#deployment-tools) section of this article, the goal of creating a reference image is to keep the Windows environment as simple as possible while performing tasks that would be common to all devices being deployed. You should now have a basic MDT deployment share configured with default options and a set of unaltered, factory installation files for Windows 10. This simple configuration is perfect for reference image creation because the deployment share contains no applications or drivers to interfere with the process. - ->[!NOTE] ->For some organizations keeping a simple deployment share without applications or drivers is the simplest solution for creation of reference images. You can easily connect to more than one deployment share from a single Deployment Workbench and copy images from a simple, reference-image-only deployment share to a production deployment share complete with drivers and applications. - -To create the reference image task sequence, follow these steps: - -1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9. - - ![Create new task sequence to deploy and update a Windows 10 reference environment](images/surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment") - - *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment* - -2. The New Task Sequence Wizard presents a series of steps, as follows: - * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**. - * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**. - * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**. - * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**. - >[!NOTE] - >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - * **Progress** – While the task sequence is created, a progress bar is displayed on this page. - * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard. -3. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -4. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10. - - ![Enable Windows Update in the reference image task sequence](images/surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence") - - *Figure 10. Enable Windows Update in the reference image task sequence* - -5. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder. -6. Click the **Options** tab, and then clear the **Disable This Step** check box. -7. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option. -8. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window. - -### Generate and import MDT boot media - -To boot the reference virtual machine from the network, the MDT deployment share first must be updated to generate boot media with the resources that have been added in the previous sections. - -To update the MDT boot media, follow these steps: - -1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11. - - ![Generate boot images with the Update Deployment Share Wizard](images/surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard") - - *Figure 11. Generate boot images with the Update Deployment Share Wizard* - -2. Use the Update Deployment Share Wizard to create boot images with the following process: - * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**. - >[!NOTE] - >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page. - * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images. - * **Progress** – While the boot images are being generated, a progress bar is displayed on this page. - * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard. -3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12: - * **LiteTouchPE_x86.iso** - * **LiteTouchPE_x86.wim** - * **LiteTouchPE_x64.iso** - * **LiteTouchPE_x64.wim** - - - ![Boot images in the Boot folder after Update Deployment Share Wizard completes](images/surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes") - - *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard* - -To import the MDT boot media into WDS for PXE boot, follow these steps: - -1. Open Windows Deployment Services from the Start menu or Start screen. -2. Expand **Servers** and your deployment server. -3. Click the **Boot Images** folder, as shown in Figure 13. - - ![Start the Add Image Wizard from the Boot Images folder](images/surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder") - - *Figure 13. Start the Add Image Wizard from the Boot Images folder* - -4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14. - - ![Import the LiteTouchPE_x86.wim MDT boot image](images/surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image") - - *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image* - -5. The Add Image Wizard displays a series of steps, as follows: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard. - ->[!NOTE] ->Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine. - -If your WDS configuration is properly set up to respond to PXE clients, you should now be able to boot from the network with any device with a network adapter properly configured for network boot (PXE). - ->[!NOTE] ->If your WDS server resides on the same server as DHCP or in a different subnet than the devices you are attempting to boot, additional configuration may be required. For more information, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351). - -### Deploy and capture a reference image - -Your deployment environment is now set up to create a reference image for Windows 10 complete with Windows Updates. - ->[!NOTE] ->You cannot install version updates (such as Windows 10, Version 1511) in a reference image. To create a reference image with a new version of Windows, you must use installation files from that version of Windows. When you install a version update in Windows, it effectively performs an upgrade to a new version of Windows, and upgraded installations of Windows cannot be prepared for deployment with Sysprep.

-By using a fully automated task sequence in an MDT deployment share dedicated to reference image creation, you can greatly reduce the time and effort required to create new reference images and it is the best way to ensure that your organization is ready for feature updates and new versions of Windows 10. - -You can now boot from the network with a virtual machine to run the prepared task sequence and generate a reference image. When you prepare your virtual machine in Hyper-V for reference image creation, consider the following: - -* Use a Generation 1 virtual machine for the simplicity of drivers and to ensure maximum compatibility with both BIOS and UEFI devices. -* Ensure your virtual machine has at least 1 GB of system memory at boot. You can ensure that the virtual machine has at least 1 GB of memory at boot but allow the memory to adjust after boot by using Dynamic Memory. You can read more about Dynamic Memory in the [Hyper-V Dynamic Memory Overview](https://technet.microsoft.com/library/hh831766). -* Ensure your virtual machine uses a legacy network adapter to support network boot (PXE); that network adapter should be connected to the same network as your deployment server, and that network adapter should receive an IP address automatically via DHCP. -* Configure your boot order such that PXE Boot is the first option. - -When your virtual machine (VM) is properly configured and ready, start or boot the VM and be prepared to press the F12 key when prompted to boot via PXE from the WDS server. - -Perform the reference image deployment and capture using the following steps: - -1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15. - - ![Start network boot by pressing the F12 key](images/surface-deploymdt-fig15.png "Start network boot by pressing the F12 key") - - *Figure 15. Start network boot by pressing the F12 key* - -2. Click **Run the Deployment Wizard to Install a New Operating System** to begin the MDT deployment process. -3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share. -4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules. -5. The Windows Deployment Wizard displays a series of steps, as follows: - * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**. - * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured. - * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**. - * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**. - * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**. - * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**. - - ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine") - - *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment* - - * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image. - -6. Your reference task sequence will run with the specified options. - -As the task sequence processes the deployment, it will automatically perform the following tasks: -* Install the Windows 10 image from the installation files you supplied -* Reboot into Windows 10 -* Run Windows updates until all Windows updates have been installed and the Windows environment is fully up to date -* Run Sysprep and prepare the Windows 10 environment for deployment -* Reboot into WinPE -* Capture an image of the Windows 10 environment and store it in the Captures folder in the MDT deployment share - ->[!NOTE] ->The Windows Update process can take some time to complete as it searches the Internet for updates, downloads those updates, and then installs them. By performing this process now, in the reference environment, you eliminate the need to perform these tasks on each deployed device and significantly reduce the amount of time and bandwidth required to perform your deployment. - -When the task sequence completes, your virtual machine will be off and a new reference image complete with updates will be ready in your MDT deployment share for you to import it and prepare your deployment environment for deployment to Surface devices. - -## Deploy Windows 10 to Surface devices - -With a freshly prepared reference image, you are now ready to configure the deployment process for deployment to the Surface devices. Use the steps detailed in this section to produce a deployment process that requires minimal effort on each Surface device to produce a complete and ready-to-use Windows 10 environment. - -### Import reference image - -After the reference image has been created and stored in the Captures folder, you need to add it to your MDT deployment share as an image for deployment. You perform this task by using the same process that you used to import the installation files for Windows 10. - -To import the reference image for deployment, use the following steps: - -1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard. -2. Import the custom image with the Import Operating System Wizard by using the following steps: - * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**. - * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**. - * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**. - * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the image is imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard. -3. Expand the folder in which you imported the image to verify that the import completed successfully. - ->[!NOTE] ->You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media. - -Now that your updated reference image is imported, it is time to prepare your deployment environment for deployment to Surface devices complete with drivers, applications, and automation. - -### Import Surface drivers - -Before you can deploy your updated reference image to Surface devices, or any physical environment, you need to supply MDT with the drivers that Windows will use to communicate with that physical environment. For Surface devices you can download all of the drivers required by Windows in a single archive (.zip) file in a format that is ready for deployment. In addition to the drivers that are used by Windows to communicate with the hardware and components, Surface firmware and driver packs also include updates for the firmware of those components. By installing the Surface firmware and driver pack, you will also bring your device’s firmware up to date. If you have not done so already, download the drivers for your Surface device listed at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). - -Many devices require that you import drivers specifically for WinPE in order for the MDT boot media to communicate with the deployment share and to boot properly on that device. Even Surface Pro 3 required that network drivers be imported specifically for WinPE for deployment of Windows 8.1. Fortunately, for Windows 10 deployments to Surface devices, all of the required drivers for operation of WinPE are contained within the out-of-box drivers that are built into Windows 10. It is still a good idea to prepare your environment with folder structure and selection profiles that allow you to specify drivers for use in WinPE. You can read more about that folder structure in **Step 5: Prepare the drivers repository** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec05). - -To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow these steps: - -1. Extract the downloaded archive (.zip) file to a folder that you can easily locate. Keep the driver files separate from other drivers or files. -2. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. -3. If you have not already created a folder structure by operating system version, you should do so now and create under the Windows 10 x64 folder a new folder for Surface Pro 4 drivers named Surface Pro 4. Your Out-of-Box Drivers folder should resemble the following structure, as shown in Figure 17: - * WinPE x86 - * WinPE x64 - * Windows 10 x64 - * Microsoft Corporation - * Surface Pro 4 - - ![Recommended folder structure for drivers](images/surface-deploymdt-fig17.png "Recommended folder structure for drivers") - - *Figure 17. The recommended folder structure for drivers* - -4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18. - - ![Progress page during drivers import](images/surface-deploymdt-fig18.png "Progress page during drivers import") - - *Figure 18. The Progress page during drivers import* - -5. The Import Driver Wizard displays a series of steps, as follows: - * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the drivers are imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard. -6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19. - - ![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images/surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share") - - *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share* - -### Import applications - -You can import any number of applications into MDT for installation on your devices during the deployment process. You can configure your applications and task sequences to prompt you during deployment to pick and choose which applications are installed, or you can use your task sequence to explicitly define which applications are installed. For more information, see **Step 4: Add an application** in [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt/#sec04). - -#### Import Microsoft Office 365 Installer - -The Office Deployment Tool is a free download available in the Microsoft Download Center that allows IT professionals and system administrators to download and prepare Office installation packages for Office Click-to-Run. You can find the Office Deployment Tool and instructions to download Click-to-Run for Office 365 installation source files at [Download Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219424). - -Download and install the version of Office Deployment Tool (ODT), for Office 2013 or Office 2016, that fits your organization’s needs and use the steps provided by that page to download the Office installation files for use with MDT. - -After you have downloaded the source files for your version of Office Click-to-Run, you need to edit the Configuration.xml file with instructions to install Office Click-to-Run silently. To configure the Office Deployment Tool for silent installation, follow these steps: - -1. Right-click the existing **Configuration.xml** file, and then click **Edit**. -2. This action opens the file in Notepad. Replace the existing text with the following: - ``` - - - - - - - - ``` - -3. Save the file. - -The default behavior of Setup.exe is to look for the source files in the path that contains **Setup.exe**. If the installation files are not found in this folder, the Office Deployment Tool will default to online source files from an Internet connection. - -For MDT to perform an automated installation of office, it is important to configure the **Display Level** option to a value of **None**. This setting is used to suppress the installation dialog box for silent installation. It is required that the **AcceptEULA** option is set to **True** to accept the license agreement when the **Display Level** option is set to **None**. With both of these options configured, the installation of Office will occur without the display of dialog boxes which could potentially cause the installation to pause until a user can address an open dialog box. - -Now that the installation and configuration files are prepared, the application can be imported into the deployment share by following these steps: - -1. Open the Deployment Workbench. -2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20. - - ![Enter the command and directory for Office 2016 Click-to-Run](images/surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run") - - *Figure 20. Enter the command and directory for Office 2016 Click-to-Run* - -3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows: - * **Application Type** – Click **Application with Source Files**, and then click **Next**. - * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**. - * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**. - * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name. - * **Command Details** – Enter the Office Deployment Tool installation command line: - - `Setup.exe /configure configuration.xml` - - * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - * **Progress** – While the installation files are imported, a progress bar is displayed on this page. - * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard. - -4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench. - -#### Import Surface app installer - -The Surface app is a Microsoft Store app that provides the user with greater control over specific Surface device functions and capabilities (for example, control over the sensitivity of the Surface Pen). It is a highly recommended app for Surface devices to provide end users with the best experience and greatest control over their device. Find out more about the Surface app at [Install and use the Surface app](https://www.microsoft.com/surface/support/apps-and-windows-store/surface-app?os=windows-10). - -To perform a deployment of the Surface app, you will need to download the app files through Microsoft Store for Business. You can find detailed instructions on how to download the Surface app through Microsoft Store for Business at [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business). - -After you have downloaded the installation files for Surface app, including the AppxBundle and license files, you can import these files into the deployment share through the same process as a desktop application like Microsoft Office. Both the AppxBundle and license files must be together in the same folder for the import process to complete successfully. Use the following command on the **Command Details** page to install the Surface app: - ``` -DISM.exe /Online /Add-ProvisionedAppxPackage /PackagePath: Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle /LicensePath: Microsoft.SurfaceHub_8wekyb3d8bbwe_a53ef8ab-9dbd-dec1-46c5-7b664d4dd003.xml - ``` - -### Create deployment task sequence - -The next step in the process is to create the deployment task sequence. This task sequence will be configured to completely automate the deployment process and will work along with customized deployment share rules to reduce the need for user interaction down to a single touch. Before you can make customizations to include all of this automation, the new task sequence has to be created from a template. - -To create the deployment task sequence, follow these steps: -1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard. -2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard: - * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**. - * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**. - * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**. - * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**. - * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - * **Progress** – While the task sequence is being created, a progress bar is displayed on this page. - * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard. - -After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates. - -1. Click the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -2. Click the **Task Sequence** tab to view the steps that are included in the new task sequence. -3. Click the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder. -4. Click the **Options** tab, and then clear the **Disable This Step** check box. -5. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option. -6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**. -7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21. - - ![A new Install Application step in the deployment task sequence](images/surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence") - - *Figure 21. A new Install Application step in the deployment task sequence* - -8. On the **Properties** tab of the new **Install Application** step, enter **Install Microsoft Office 2016 Click-to-Run** in the **Name** field. -9. Click **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. -10. Select Office 2016 Click-to-Run from the list of applications, and then click **OK**. -11. Repeat Steps 6 through 10 for the Surface app. -12. Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step. -13. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu. -14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options: - * **Name** – Set DriverGroup001 - * **Task Sequence Variable** – DriverGroup001 - * **Value** – Windows 10 x64\%Make%\%Model% - - ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence") - - *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence* - -15. Select the **Inject Drivers** step, the next step in the task sequence. -16. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options: - * In the **Choose a selection profile** drop-down menu, select **Nothing**. - * Click the **Install all drivers from the selection profile** button. - - ![Configure deployment task sequence not to choose the drivers to inject into Windows](images/surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows") - - *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows* - -17. Click **OK** to apply changes to the task sequence and close the task sequence properties window. - -### Configure deployment share rules - -The experience of users during a Windows deployment is largely governed by a set of rules that control how the MDT and Windows Deployment Wizard experience should proceed. These rules are stored in two configuration files. Boot media rules are stored in the Bootstrap.ini file that is processed when the MDT boot media is first run. Deployment share rules are stored in the Customsettings.ini file and tell the Windows Deployment Wizard how to operate (for example, what screens to show and what questions to ask). By using these the rules stored in these two files, you can completely automate the process of deployment to where you will not be asked to supply the answer to any questions during deployment and the deployment will perform all tasks completely on its own. - -#### Configure Bootstrap.ini - -Bootstrap.ini is the simpler of the two rule files. The purpose it serves is to provide instructions from when the MDT boot media starts on a device until the Windows Deployment Wizard is started. The primary use of this file is to provide the credentials that will be used to log on to the deployment share and start the Windows Deployment Wizard. - -To automate the boot media rules, follow these steps: - -1. Right-click your deployment share in the Deployment Workbench, and then click **Properties**. -2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad. -3. Replace the text of the Bootstrap.ini file with the following text: - - ``` - [Settings] - Priority=Model,Default - - [Surface Pro 4] - DeployRoot=\\STNDeployServer\DeploymentShare$ - UserDomain=STNDeployServer - UserID=MDTUser - UserPassword=P@ssw0rd - SkipBDDWelcome=YES - - [Surface Pro 4] - DeployRoot=\\STNDeployServer\DeploymentShare$ - ``` - -4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad. - -You can use a number of variables in both boot media and deployment share rules to apply rules only when certain conditions are met. For example, you can use MAC addresses to identify specific machines where MDT will run fully automated, but will run with required user interaction on all other devices. You can also use the model of the device to instruct the MDT boot media to perform different actions based on computer model, much as the way **[Surface Pro 4]** is listed in Step 3. You can use the following cmdlet in a PowerShell session to see what the Model variable would be on a device: - -```wmic csproduct get name``` - -Rules used in the text shown in Step 3 include: - -* **DeployRoot** – Used to specify the deployment share that the MDT boot media will connect to. -* **UserDomain** – Used to specify the domain or computer where the MDT user account is located. -* **UserID** – Used to specify the MDT user account for automatic logon to the deployment share. -* **UserPassword** – Used to specify the MDT user password for automatic logon to the deployment share. -* **SkipBDDWelcome** – Used to skip the Welcome page and to start the Windows Deployment Wizard immediately using the specified credentials and deployment share. - -#### Configure CustomSettings.ini - -The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24. - -![Deployment share rules configured for automation of the Windows Deployment Wizard](images/surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard") - -*Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard* - -To configure automation for the production deployment, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties: - - ``` -[Settings] -Priority=Model,Default -Properties=MyCustomProperty - -[Surface Pro 4] -SkipTaskSequence=YES -TaskSequenceID=Win10SP4 - -[Default] -OSInstall=Y -SkipCapture=YES -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerBackup=YES -SkipBitLocker=YES -SkipBDDWelcome=YES -SkipUserData=YES -UserDataLocation=AUTO -SkipApplications=YES -SkipPackageDisplay=YES -SkipComputerName=YES -SkipDomainMembership=YES -JoinDomain=contoso.com -DomainAdmin=MDT -DomainAdminDomain=contoso -DomainAdminPassword=P@ssw0rd -SkipLocaleSelection=YES -KeyboardLocale=en-US -UserLocale=en-US -UILanguage=en-US -SkipTimeZone=YES -TimeZoneName=Pacific Standard Time -UserID=MDTUser -UserDomain=STNDeployServer -UserPassword=P@ssw0rd -SkipSummary=YES -SkipFinalSummary=YES -FinishAction=LOGOFF - ``` -Rules used in this example include: - -* **SkipTaskSequence** – This rule is used to skip the **Task Sequence** page where the user would have to select between available task sequences. -* **TaskSequenceID** – This rule is used to instruct the Windows Deployment Wizard to run a specific task sequence. In this scenario the task sequence ID should match the deployment task sequence you created in the previous section. -* **OSInstall** – This rule indicates that the Windows Deployment Wizard will be performing an operating system deployment. -* **SkipCapture** – This rule prevents the **Capture Image** page from being displayed, prompting the user to create an image of this device after deployment. -* **SkipAdminPassword** – This rule prevents the **Admin Password** page from being displayed. The Administrator password specified in the task sequence will still be applied. -* **SkipProductKey** – This rule prevents the **Specify Product Key** page from being displayed. The product key specified in the task sequence will still be applied. -* **SkipComputerBackup** – This rule prevents the **Move Data and Settings** page from being displayed, where the user is asked if they would like to make a backup of the computer before performing deployment. -* **SkipBitLocker** – This rule prevents the **BitLocker** page from being displayed, where the user is asked if BitLocker Drive Encryption should be used to encrypt the device. -* **SkipBDDWelcome** – This rule prevents the **Welcome** page from being displayed, where the user is prompted to begin Windows deployment. -* **SkipUserData** – This rule prevents the **User Data (Restore)** page from being displayed, where the user is asked to restore previously backed up user data in the new environment. -* **UserDataLocation** – This rule prevents the user from being prompted to supply a location on the User Data (Restore) page. -* **SkipApplications** – This rule prevents the **Applications** page from being displayed, where the user is prompted to select from available applications to be installed in the new environment. -* **SkipPackageDisplay** – This rule prevents the **Packages** page from being displayed, where the user is prompted to select from available packages to be installed in the new environment. -* **SkipComputerName** – This rule, when combined with the **SkipDomainMembership** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup. -* **SkipDomainMembership** – This rule, when combined with the **SkipComputerName** rule, prevents the **Computer Details** page from being displayed, where the user is asked to supply computer name and join a domain or workgroup. -* **JoinDomain** – This rule instructs the Windows Deployment Wizard to have the computer join the specified domain using the specified credentials. -* **DomainAdmin** – This rule specifies the username for the domain join operation. -* **DomainAdminDomain** – This rule specifies the domain for the username for the domain join operation. -* **DomainAdminPassword** – This rule specifies the password for the username for the domain join operation. -* **SkipLocaleSelection** – This rule, along with the **SkipTimeZone** rule, prevents the **Locale and Time** page from being displayed. -* **KeyboardLocale** – This rule is used to specify the keyboard layout for the deployed Windows environment. -* **UserLocale** – This rule is used to specify the geographical locale for the deployed Windows environment. -* **UILanguage** – This rule is used to specify the language to be used in the deployed Windows environment. -* **SkipTimeZone** – This rule, along with the **SkipLocaleSelection** rule, prevents the **Locale and Time** page from being displayed. -* **TimeZoneName** – This rule is used to specify the time zone for the deployed Windows environment. -* **UserID** – This rule is used to supply the username under which the MDT actions and task sequence steps are performed. -* **UserDomain** – This rule is used to supply the domain for the username under which the MDT actions and task sequence steps are performed. -* **UserPassword** – This rule is used to supply the password for the username under which the MDT actions and task sequence steps are performed. -* **SkipSummary** – This rule prevents the **Summary** page from being displayed before the task sequence is run, where the user is prompted to confirm the selections before beginning the task sequence. -* **SkipFinalSummary** – This rule prevents the **Summary** page from being displayed when the task sequence has completed. -* **FinishAction** – This rule specifies whether to log out, reboot, or shut down the device after the task sequence has completed. - -You can read about all of the possible deployment share and boot media rules in the [Microsoft Deployment Toolkit Reference](https://technet.microsoft.com/library/dn781091). - -### Update and import updated MDT boot media - -The process to update MDT boot media with these new rules and changes to the deployment share is very similar to the process to generate boot media from scratch. - -To update the MDT boot media, follow these steps: - -1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard. -2. The Update Deployment Share Wizard displays a series of steps, as follows: - * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**. - * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images. - * **Progress** – While the boot images are being updated a progress bar is displayed on this page. - * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard. - -To import the updated MDT boot media into WDS for PXE boot, follow these steps: - -1. Open Windows Deployment Services from the Start menu or Start screen. -2. Expand **Servers** and your deployment server. -3. Click the **Boot Images** folder. -4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard. -5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**. - * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard. -6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard. -7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows: - * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**. - * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options. - * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**. - * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard. - ->[!NOTE] ->Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices. - -### Deploy Windows to Surface - -With all of the automation provided by the deployment share rules and task sequence, performing the deployment on each Surface device becomes as easy as a single touch. - ->[!NOTE] ->For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25. - -![Set boot priority for PXE boot](images/surface-deploymdt-fig25.png "Set boot priority for PXE boot") - -*Figure 25. Setting boot priority for PXE boot* - -On a properly configured Surface device, simply turn on the device and press Enter when you are prompted to boot from the network. The fully automated MDT deployment process will then take over and perform the following tasks: - -* The MDT boot media will be loaded to your Surface device via the network -* The MDT boot media will use the provided credentials and rules to connect to the MDT deployment share -* The task sequence and drivers will be automatically selected for your device via make and model information -* The task sequence will deploy your updated Windows 10 image to the device complete with the selected drivers -* The task sequence will join your device to the domain -* The task sequence will install the applications you specified, Microsoft Office and Surface app -* Windows Update will run, installing any new Windows Updates or updates for installed applications, like Microsoft Office -* The task sequence will complete silently and log out of the device - ->[!NOTE] ->For Surface devices not configured to boot to the network as the first boot option, you can hold Volume Down and press Power to boot the system immediately to a USB or network device. - -The resulting configuration is a Surface device that is logged out and ready for an end user to enter their credentials, log on, and get right to work. The applications and drivers they need are already installed and up to date. - - +> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +For the latest information about using MDT, refer to [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 0147596761..fd8f4626e5 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). > [!NOTE] -> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +> SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). #### Download and install Microsoft Surface UEFI Configurator The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. @@ -107,11 +107,11 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so. 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows: * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate. - * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. + * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. - ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") - - *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* + ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") + + *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint* * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file. diff --git a/devices/surface/index.yml b/devices/surface/index.yml index d9d7043dc2..b173beeed8 100644 --- a/devices/surface/index.yml +++ b/devices/surface/index.yml @@ -30,12 +30,7 @@ additionalContent: # Card - title: Surface Hub documentation summary: Learn how to deploy and manage Surface Hub 2S, the all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. - url: https://docs.microsoft.com/surface-hub/index - # Card - - title: Surface Hub adoption guidance - summary: Get best practices for technical readiness and adoption across your lines of business. - url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit - + url: https://docs.microsoft.com/surface-hub/index - title: Other resources # < 60 chars (optional) items: # Card @@ -50,6 +45,8 @@ additionalContent: links: - text: Surface training on Microsoft Learn url: https://docs.microsoft.com/learn/browse/?term=Surface + - text: Surface Hub 2S adoption guidance + url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit - text: Microsoft Mechanics Surface videos url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index a7ef242da7..ab4c3a46c4 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -1,5 +1,5 @@ --- -title: Top support solutions for Surface devices +title: Top support solutions for Surface devices in the enterprise description: Find top solutions for common issues using Surface devices in the enterprise. ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A ms.reviewer: @@ -20,16 +20,36 @@ ms.audience: itpro # Top support solutions for Surface devices > [!Note] -> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices). +> **Home users**: This article is only intended for use by IT professionals and technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices). -Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined). +These are the Microsoft Support solutions for common issues you may experience using Surface devices in an enterprise. If your issue is not listed here, [contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection). +## Surface Drivers and Firmware -These are the top Microsoft Support solutions for common issues experienced when using Surface devices in an enterprise. +Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated. + +- [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) +- [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined) +- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482) +- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) +- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906) + +## Surface Dock Issues + +- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations) + +- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496) + +- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater) + +## Device cover or keyboard issues + +- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards) ## Screen cracked or scratched issues -- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection) +- [Contact Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection) ## Surface Power or battery Issues @@ -41,29 +61,13 @@ These are the top Microsoft Support solutions for common issues experienced when - [Maximize your Surface battery life](https://support.microsoft.com/help/4483194) -## Device cover or keyboard issues +## Reset device -- [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards) +- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512) -## Surface Dock Issues +- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508) -- [Troubleshoot Surface Dock and docking stations](https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations) - -- [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496) - -- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater) - -## Surface Drivers and Firmware - -- [Surface Update History](https://support.microsoft.com/help/4036283) - -- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482) - -- [Deploy the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) - -- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) - -- [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906) +- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser) ## Deployment Issues @@ -72,11 +76,3 @@ These are the top Microsoft Support solutions for common issues experienced when - [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105) - [System SKU reference](https://docs.microsoft.com/surface/surface-system-sku-reference) - -## Reset device - -- [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/help/4023512) - -- [FAQ: Protecting your data if you send your Surface in for Service](https://support.microsoft.com/help/4023508) - -- [Microsoft Surface Data Eraser](https://docs.microsoft.com/surface/microsoft-surface-data-eraser) diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index f3d922c048..488eeca1a2 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P | Endpoint Configuration Manager | Yes | Yes | | | Power on When AC Restore | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | -| Surface Dock Firmware Update | Yes | Yes | | +| Surface Dock Firmware Update | Yes | No | | | Asset Tag Utility | Yes | Yes | | | Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | -| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. | +| Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. | | Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index f483ed4583..c9345502d8 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -13,6 +13,7 @@ ms.localizationpriority: medium ms.audience: itpro ms.reviewer: manager: laurawi +ms.date: 04/24/2020 --- # Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit @@ -37,216 +38,7 @@ manager: laurawi - Surface Pro - Windows 10 -In addition to the traditional deployment method of reimaging devices, administrators that want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. The process described in this article shows how to perform a Windows 10 upgrade deployment to Surface devices. +In addition to the traditional deployment method of reimaging devices, administrators who want to upgrade Surface devices that are running Windows 8.1 or Windows 10 have the option of deploying upgrades. By performing an upgrade deployment, Windows 10 can be applied to devices without removing users, apps, or configuration. The users of the deployed devices can simply continue using the devices with the same apps and settings that they used prior to the upgrade. -If you are not already familiar with the deployment of Windows or the Microsoft deployment tools and technologies, you should read [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) and familiarize yourself with the traditional deployment method before you proceed. +For the latest information about upgrading surface devices using MDT, refer to [Perform an in-place upgrade to Windows 10 with MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). -#### The upgrade concept - -When you use the factory installation media to install Windows on a device, you are presented with two options or *installation paths* to install Windows on that device. The first of these installation paths – *clean installation* – allows you to apply a factory image of Windows to that device, including all default settings. The second of these installation paths – *upgrade* – allows you to apply Windows to the device but retains the device’s users, apps, and settings. - -When you perform a Windows deployment using traditional deployment methods, you follow an installation path that is very similar to a clean installation. The primary difference between the clean installation and the traditional deployment method of *reimaging* is that with reimaging, you can apply an image that includes customizations. Microsoft deployment technologies, such as the Microsoft Deployment Toolkit (MDT), expand the capabilities of the reimaging process by modifying the image during deployment. For example, MDT is able to inject drivers for a specific hardware configuration during deployment, and with pre and post imaging scripts to perform a number of tasks, such as the installation of applications. - -For versions of Windows prior to Windows 10, if you wanted to install a new version of Windows on your devices and preserve the configuration of those systems, you had to perform additional steps during your deployment. For example, if you wanted to keep the data of users on the device, you had to back up user data with the User State Migration Tool (USMT) prior to the deployment and restore that data after the deployment had completed. - -Introduced with Windows 10 and MDT 2013 Update 1, you can use the upgrade installation path directly with Microsoft deployment technologies such as the Microsoft Deployment Toolkit (MDT). With an upgrade deployment you can use the same deployment technologies and process, but you can preserve users settings, and applications of the existing environment on the device. - -> [!NOTE] -> MDT is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) - -## Deployment tools and resources - -Performing an upgrade deployment of Windows 10 requires the same tools and resources that are required for a traditional reimaging deployment. You can read about the tools required, including detailed explanations and installation instructions, in [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md). To proceed with the upgrade deployment described in this article, you will need the following tools installed and configured: - -* [Microsoft Deployment Toolkit (MDT)](https://technet.microsoft.com/windows/dn475741) -* [Windows Assessment and Deployment Kit (Windows ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#windowsadk), which includes: - * Deployment Image Servicing and Management (DISM) - * Windows Preinstallation Environment (Windows PE) - * Windows System Image Manager (Windows SIM) - -You will also need to have available the following resources: - -* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx) - - >[!NOTE] - >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT. -* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10 - -* Application installation files for any applications you want to install, such as the Surface app - -## Prepare the upgrade deployment - -Before you begin the process described in this section, you need to have installed and configured the deployment tools outlined in the previous [Deployment tools and resources](#deployment-tools-and-resources) section. For instructions on how to install and configure the deployment tools, see the **Install the deployment tools** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#install-the-deployment-tools) article. You will also have needed to create a deployment share with MDT, described in the section Create a Deployment Share in the aforementioned article. - -### Import Windows 10 installation files - -Windows 10 installation files only need to be imported if you have not already done so in the deployment share. To import Windows 10 installation files, follow the steps described in the **Import Windows installation files** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#import-windows-installation-files) article. - -### Import Surface drivers -In the import process example shown in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, drivers for Surface Pro 4 were imported for Windows 10. To perform an upgrade deployment of Windows 10 to Surface Pro 3, drivers for Surface Pro 3 must also be imported. To import the Surface drivers for Surface Pro 3, follow these steps: - -1. Download the Surface Pro 3 firmware and driver pack for Windows 10 archive file (.zip), SurfacePro3_Win10_xxxxxx.zip, from the [Surface Pro 3 download page](https://www.microsoft.com/download/details.aspx?id=38826) in the Microsoft Download Center. -2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files. -3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. -4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure: - * WinPE x86 - * WinPE x64 - * Windows 10 x64 - * Microsoft Corporation - * Surface Pro 4 - * Surface Pro 3 -5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1. - - ![Import Surface Pro 3 drivers for Windows 10](images/surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10") - - *Figure 1. Import Surface Pro 3 drivers for Windows 10* - -6. The Import Driver Wizard displays a series of steps, as follows: - - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process. - - **Progress** – While the drivers are imported, a progress bar is displayed on this page. - - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard. -7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2. - - ![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images/surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share") - - *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share* - -### Import applications - -Installation of applications in an upgrade deployment is not always necessary because the applications from the previous environment will remain on the device. (For example, in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) article, the deployment includes Office 365 which is not required in an upgrade deployment where the user is already using Office 365 on the device.) - -There are still some circumstances where you will want to deploy an application, even during an upgrade deployment. For example, you may have Surface Pro 3 devices on which you would like to add the Surface app. To deploy the Surface app in an upgrade scenario use the same process as you would for a traditional deployment. See the [Deploy Surface app with Microsoft Store for Business](https://technet.microsoft.com/itpro/surface/deploy-surface-app-with-windows-store-for-business) article for instructions on how to add the Surface app to an MDT task sequence. - -### Create the upgrade task sequence - -After you have all of the resources in place to perform the deployment (including the installation files, Surface drivers, and application files), the next step is to create the upgrade task sequence. This task sequence is a series of steps that will be performed on the device being upgraded that applies the new Windows environment, compatible drivers, and any applications you have specified. - -Create the upgrade task sequence with the following process: - -1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard. -2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard: - - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**. - >[!NOTE] - >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters. - - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**. - - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**. - - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**. - - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**. - - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**. - - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence. - - **Progress** – While the task sequence is being created, a progress bar is displayed on this page. - - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard. - -After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence: - -1. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**. -2. Select the **Task Sequence** tab to view the steps that are included in the new task sequence. -3. Select the **Windows Update (Pre-Application Installation)** step, located under the **State Restore** folder. -4. Click the **Options** tab, and then clear the **Disable This Step** check box. -5. Repeat Step 3 and Step 4 for the **Windows Update (Post-Application Installation)** step. -6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**. -7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3. - - ![A new Install Application step in the deployment task sequence](images/surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence") - - *Figure 3. A new Install Application step in the deployment task sequence* - -8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field. -9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share. -10. Select **Surface App** from the list of applications, and then click **OK**. -11. Expand the **Preinstall** folder and select the **Enable BitLocker (Offline)** step. -12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu. -13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options: - - - **Name** – Set DriverGroup001 - - **Task Sequence Variable** – DriverGroup001 - - **Value** – Windows 10 x64\%Make%\%Model% - - ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence") - - *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence* - -14. Select the **Inject Drivers** step, the next step in the task sequence. -15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options: - * In the **Choose a selection profile** drop-down menu, select **Nothing**. - * Click the **Install all drivers from the selection profile** button. - - ![Configure the deployment task sequence to not install drivers](images/surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers") - - *Figure 5. Configure the deployment task sequence to not install drivers* - -16. Click **OK** to apply changes to the task sequence and close the task sequence properties window. - -Steps 11 through 15 are very important to the deployment of Surface devices. These steps instruct the task sequence to install only drivers that are organized into the correct folder using the organization for drivers from the [Import Surface drivers](#import-surface-drivers) section. - -### Deployment share rules - -To automate the upgrade process, the rules of the MDT deployment share need to be modified to suppress prompts for information from the user. Unlike a traditional deployment, Bootstrap.ini does not need to be modified because the deployment process is not started from boot media. Similarly, boot media does not need to be imported into WDS because it will not be booted over the network with PXE. - -To modify the deployment share rules and suppress the Windows Deployment Wizard prompts for information, copy and paste the following text into the text box on the **Rules** tab of your deployment share properties: - -``` -[Settings] -Priority=Model,Default -Properties=MyCustomProperty - -[Surface Pro 4] -SkipTaskSequence=YES -TaskSequenceID=Win10SP4 - -[Surface Pro 3] -SkipTaskSequence=YES -TaskSequenceID=Win10SP3Up - -[Default] -OSInstall=Y -SkipCapture=YES -SkipAdminPassword=YES -SkipProductKey=YES -SkipComputerBackup=YES -SkipBitLocker=YES -SkipBDDWelcome=YES -SkipUserData=YES -UserDataLocation=AUTO -SkipApplications=YES -SkipPackageDisplay=YES -SkipComputerName=YES -SkipDomainMembership=YES -JoinDomain=contoso.com -DomainAdmin=MDT -DomainAdminDomain=contoso -DomainAdminPassword=P@ssw0rd -SkipLocaleSelection=YES -KeyboardLocale=en-US -UserLocale=en-US -UILanguage=en-US -SkipTimeZone=YES -TimeZoneName=Pacific Standard Time -UserID=MDTUser -UserDomain=STNDeployServer -UserPassword=P@ssw0rd -SkipSummary=YES -SkipFinalSummary=YES -FinishAction=LOGOFF -``` - - - -For more information about the rules configured by this text, see the **Configure deployment share rules** section in the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#configure-deployment-share-rules) article. - -### Update deployment share - -To update the deployment share, right-click the deployment share in the Deployment Workbench and click **Update Deployment Share**, then proceed through the Update Deployment Share Wizard. See the **Update and import updated MDT boot media** section of the [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md#update-and-import-updated-mdt-boot-media) article for detailed steps. - -### Run the upgrade deployment - -Unlike a traditional deployment, the upgrade task sequence must be launched from within the Windows environment that will be upgraded. This requires that a user on the device to be upgraded navigate to the deployment share over the network and launch a script, LiteTouch.vbs. This script is the same script that displays the Windows Deployment Wizard in Windows PE in a traditional deployment. In this scenario, Litetouch.vbs will run within Windows. To perform the upgrade task sequence and deploy the upgrade to Windows 10 follow these steps: - -1. Browse to the network location of your deployment share in File Explorer. -2. Navigate to the **Scripts** folder, locate **LiteTouch.vbs**, and then double-click **LiteTouch.vbs** to start the Windows Deployment Wizard. -3. Enter your credentials when prompted. -4. The upgrade task sequence for Surface Pro 3 devices will automatically start when the model of the device is detected and determined to match the deployment share rules. -5. The upgrade process will occur automatically and without user interaction. - -The task sequence will automatically install the drivers for Surface Pro 3 and the Surface app, and will perform any outstanding Windows Updates. When it completes, it will log out and be ready for the user to log on with the credentials they have always used for this device. diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index c781eb4fea..a2dc196c47 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -20,7 +20,7 @@ ms.date: 06/16/2016 After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). **Note** The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 197cff66cb..29d79221c5 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -18,7 +18,7 @@ ms.topic: article After you have properly deployed the Microsoft Application Virtualization (App-V) sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. -For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](). +For more information about configuring the App-V sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx). >[!NOTE] >The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6ba943ffca..8611ab72a1 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -7,15 +7,12 @@ ms.prod: w10 ms.technology: windows author: lomayor ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 04/16/2020 ms.reviewer: manager: dansimp --- # BitLocker CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. > [!NOTE] @@ -25,7 +22,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. -For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). The following diagram shows the BitLocker configuration service provider in tree format. @@ -162,7 +159,7 @@ If you want to disable this policy, use the following SyncML: **EncryptionMethodByDriveType** -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". @@ -215,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. - The possible values for 'xx' are: + The possible values for 'xx' are: - 3 = AES-CBC 128 - 4 = AES-CBC 256 @@ -237,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov chr - <disabled/> + ``` @@ -247,7 +244,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". +This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
@@ -284,12 +281,12 @@ ADMX Info: > [!TIP] > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). -This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker. +This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker. > [!NOTE] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. -If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. +If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. @@ -317,13 +314,13 @@ Data id:
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
    • -The possible values for 'xx' are: +The possible values for 'xx' are: -The possible values for 'yy' are: +The possible values for 'yy' are:
    @@ -408,18 +405,18 @@ Sample value for this node to enable this policy is: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -427,7 +424,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). @@ -468,11 +465,11 @@ ADMX Info: This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. -If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). +If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). -If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. +If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. -If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. +If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. Sample value for this node to enable this policy is: @@ -480,7 +477,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - 0 = Empty - 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). @@ -495,18 +492,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + + + ``` > [!NOTE] @@ -517,7 +514,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
    @@ -556,18 +553,18 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. +Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. -Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -> [!Note] -> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. @@ -579,34 +576,34 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are: - true = Explicitly allow - false = Policy not set -The possible values for 'yy' are: +The possible values for 'yy' are: - 2 = Allowed - 1 = Required - 0 = Disallowed -The possible values for 'zz' are: +The possible values for 'zz' are: - 2 = Store recovery passwords only - 1 = Store recovery passwords and key packages Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -614,7 +611,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). +This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
    @@ -653,19 +650,20 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. -In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. -Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. +Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. -Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. +Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. -Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. +Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. -Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. +Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. -> [!Note]
    > If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. +> [!NOTE] +> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. @@ -677,13 +675,13 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
    -The possible values for 'yy' are: +The possible values for 'yy' are:
    • 2 = Allowed
    • 1 = Required
      • @@ -691,7 +689,7 @@ The possible values for 'yy' are:
    -The possible values for 'zz' are: +The possible values for 'zz' are:
    • 2 = Store recovery passwords only
    • 1 = Store recovery passwords and key packages
      • @@ -700,18 +698,18 @@ The possible values for 'zz' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -719,7 +717,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
    @@ -769,18 +767,18 @@ Sample value for this node to enable this policy is: If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + + + ``` Data type is string. Supported operations are Add, Get, Replace, and Delete. @@ -788,7 +786,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **RemovableDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). +This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
    @@ -829,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. -If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. +If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. -> [!Note]
    > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. +> [!NOTE] +> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. Sample value for this node to enable this policy is: @@ -841,7 +840,7 @@ Sample value for this node to enable this policy is: ``` -The possible values for 'xx' are: +The possible values for 'xx' are:
    • true = Explicitly allow
    • false = Policy not set
      • @@ -850,18 +849,18 @@ The possible values for 'xx' are: Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML: ```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - - - chr - - <disabled/> - - + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + + + ``` @@ -1058,7 +1057,7 @@ Interior node. Supported operation is Get. **Status/DeviceEncryptionStatus** -This node reports compliance state of device encryption on the system. +This node reports compliance state of device encryption on the system.
    @@ -1084,12 +1083,33 @@ This node reports compliance state of device encryption on the system. +Value type is int. Supported operation is Get. + Supported values: - 0 - Indicates that the device is compliant. -- Any other value represents a non-compliant device. +- Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table: + +| Bit | Error Code | +|-----|------------| +| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| +| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| +| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| +| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| +| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| +| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| +| 7 |The OS volume is unprotected.| +| 8 |Recovery key backup failed.| +| 9 |A fixed drive is unprotected.| +| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| +| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.| +| 12 |Windows Recovery Environment (WinRE) isn't configured.| +| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. | +| 14 |The TPM isn't ready for BitLocker.| +| 15 |The network isn't available, which is required for recovery key backup. | +| 16-31 |For future use.| -Value type is int. Supported operation is Get. @@ -1211,10 +1231,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType - <enabled/> - <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> - <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/> - <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/> + + + + @@ -1226,12 +1246,12 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication - <enabled/> - <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/> - <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/> - <data id="ConfigurePINUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/> - <data id="ConfigureTPMUsageDropDown_Name" value="2"/> + + + + + + @@ -1243,8 +1263,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength - <enabled/> - <data id="MinPINLength" value="6"/> + + @@ -1256,10 +1276,10 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage - <enabled/> - <data id="RecoveryMessage_Input" value="blablablabla"/> - <data id="PrebootRecoveryInfoDropDown_Name" value="2"/> - <data id="RecoveryUrl_Input" value="blablabla"/> + + + + @@ -1271,14 +1291,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions - <enabled/> - <data id="OSAllowDRA_Name" value="true"/> - <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="OSHideRecoveryPage_Name" value="true"/> - <data id="OSActiveDirectoryBackup_Name" value="true"/> - <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="OSRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1290,14 +1310,14 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions - <enabled/> - <data id="FDVAllowDRA_Name" value="true"/> - <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/> - <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/> - <data id="FDVHideRecoveryPage_Name" value="true"/> - <data id="FDVActiveDirectoryBackup_Name" value="true"/> - <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/> - <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + + + @@ -1309,7 +1329,7 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption - <enabled/> + @@ -1321,8 +1341,8 @@ The following example is provided to show proper format and should not be taken ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption - <enabled/> - <data id="RDVCrossOrg" value="true"/> + + @@ -1331,4 +1351,5 @@ The following example is provided to show proper format and should not be taken ``` + diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 487840d670..5ff94676d8 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. +In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. For the purposes of this guide, we will use one server computer: CM01. diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 2e6bb17812..d503946e6f 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -27,7 +27,7 @@ sections: - href: windows-10-deployment-scenarios html:

    Understand the different ways that Windows 10 can be deployed

    image: - src: https://docs.microsoft.com/media/common/i_deploy.svg" + src: https://docs.microsoft.com/media/common/i_deploy.svg title: Windows 10 deployment scenarios - href: update html:

    Update Windows 10 in the enterprise

    diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 9dbe7740b3..d125672d4a 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -1,6 +1,6 @@ --- -title: Windows 10 - How to make FoD and language packs available when you're using WSUS/SCCM -description: Learn how to make FoD and language packs available when you're using WSUS/SCCM +title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager +description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager ms.prod: w10 ms.mktglfcycl: manage @@ -14,7 +14,7 @@ ms.reviewer: manager: laurawi ms.topic: article --- -# How to make Features on Demand and language packs available when you're using WSUS/SCCM +# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager > Applies to: Windows 10 @@ -26,6 +26,6 @@ In Windows 10 version 1709 and 1803, changing the **Specify settings for optiona In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location. -For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS or SCCM or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. +For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location. Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index ac597ae387..7284fecba7 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -106,7 +106,7 @@ When users start scanning in Windows Update through the Settings panel, the foll |MU|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| |OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
    3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
    3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | |Offline scan service|Via IUpdateServiceManager::AddScanPackageService| #### Finds network faults @@ -117,9 +117,9 @@ Common update failure is caused due to network issues. To find the root of the i - The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager. -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. +- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured. ![Windows Update scan log 3](images/update-scan-log-3.png) ## Downloading updates diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 102ee54ac9..55e6f693d9 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,9 +18,9 @@ ms.topic: article # Monitor Windows Updates with Update Compliance > [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed **on hold** until the current situation stabilizes. -> * The Windows Defender Antivirus reporting feature of Update Compliance will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). -> * As of March 31, 2020, The Perspectives feature of Update Compliance will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Windows Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. +> * The retirement of Windows Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index de0d1957dc..a5d605d778 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -110,7 +110,7 @@ Download mode dictates which download sources clients are allowed to use when do | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | >[!NOTE] >Group mode is a best-effort optimization and should not be relied on for an authentication of identity of devices participating in the group. @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (SCCM Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 9de80024c2..d37589c3e6 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -54,7 +54,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | -| SCCM Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |