From e848456ccf0978da70e561ea683ee2449da877e2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 4 Mar 2021 21:14:54 -0800 Subject: [PATCH 1/9] Corrections & improvements to layout & presentation --- .../set-up-shared-or-guest-pc.md | 70 +++--- .../deploy-a-windows-10-image-using-mdt.md | 223 +++++++++++------- ...ctive-directory-based-activation-client.md | 34 ++- .../windows-10-subscription-activation.md | 75 ++++-- .../hello-feature-pin-reset.md | 34 ++- ...Onboard-Windows-10-multi-session-device.md | 22 +- .../ltsc/whats-new-windows-10-2019.md | 69 ++++-- 7 files changed, 333 insertions(+), 194 deletions(-) diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 9c1330bdc3..b384589f9d 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -86,24 +86,29 @@ You can configure Windows to be in shared PC mode in a couple different ways: - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**. + 3. Enter the following properties: - - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Shared multi-user device**. + - **Platform**: Select **Windows 10 and later**. + - **Profile**: Select **Templates** > **Shared multi-user device**. 4. Select **Create**. + 5. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the new profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. + - **Name**: Enter a descriptive name for the new profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. 6. Select **Next**. + 7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. - ![Shared PC settings in ICD](images/shared_pc_3.png) + > [!div class="mx-imgBorder"] + > ![Shared PC settings in ICD](images/shared_pc_3.png) 9. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**. @@ -112,27 +117,27 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - -``` -$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" -$sharedPC.EnableSharedPCMode = $True -$sharedPC.SetEduPolicies = $True -$sharedPC.SetPowerPolicies = $True -$sharedPC.MaintenanceStartTime = 0 -$sharedPC.SignInOnResume = $True -$sharedPC.SleepTimeout = 0 -$sharedPC.EnableAccountManager = $True -$sharedPC.AccountModel = 2 -$sharedPC.DeletionPolicy = 1 -$sharedPC.DiskLevelDeletion = 25 -$sharedPC.DiskLevelCaching = 50 -$sharedPC.RestrictLocalStorage = $False -$sharedPC.KioskModeAUMID = "" -$sharedPC.KioskModeUserTileDisplayText = "" -$sharedPC.InactiveThreshold = 0 -Set-CimInstance -CimInstance $sharedPC -Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC -``` + + ```powershell + $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" + $sharedPC.EnableSharedPCMode = $True + $sharedPC.SetEduPolicies = $True + $sharedPC.SetPowerPolicies = $True + $sharedPC.MaintenanceStartTime = 0 + $sharedPC.SignInOnResume = $True + $sharedPC.SleepTimeout = 0 + $sharedPC.EnableAccountManager = $True + $sharedPC.AccountModel = 2 + $sharedPC.DeletionPolicy = 1 + $sharedPC.DiskLevelDeletion = 25 + $sharedPC.DiskLevelCaching = 50 + $sharedPC.RestrictLocalStorage = $False + $sharedPC.KioskModeAUMID = "" + $sharedPC.KioskModeUserTileDisplayText = "" + $sharedPC.InactiveThreshold = 0 + Set-CimInstance -CimInstance $sharedPC + Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC + ``` ### Create a provisioning package for shared use @@ -209,19 +214,24 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac ## Guidance for accounts on shared PCs * We recommend no local admin accounts on the PC to improve the reliability and security of the PC. + * When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. + * Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. + * If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or * Create exempt accounts before signing out when turning shared pc mode on. + * The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell:
- ``` + * An account can be marked exempt from deletion by adding the account SID to the registry key:`HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. + * To add the account SID to the registry key using PowerShell: + + ```powershell $adminName = "LocalAdmin" $adminPass = 'Pa$$word123' iex "net user /add $adminName $adminPass" @@ -232,8 +242,6 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac ``` - - ## Policies set by shared PC mode Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 355ea08482..889f6b7bbd 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -211,16 +211,17 @@ When you import drivers to the **MDT driver repository**, **MDT** creates a sing The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**: -``` powershell +```powershell Get-WmiObject -Class:Win32_ComputerSystem ``` + Or, you can use this command in a normal command prompt: -``` +```console wmic csproduct get name ``` -If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). +If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). ![drivers](../images/fig4-oob-drivers.png) @@ -266,7 +267,8 @@ On **MDT01**: For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -![ThinkStation image](../images/thinkstation.png) +> [!div class="mx-imgBorder"] +> ![ThinkStation image](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -368,60 +370,63 @@ On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=pass@word1 - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - WSUSServer=mdt01.contoso.com:8530 - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - ``` + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=CONTOSO\MDT_JD + DomainAdminPassword=pass@word1 + MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com + SLShare=\\MDT01\Logs$ + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + WSUSServer=mdt01.contoso.com:8530 + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=NO + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + ``` 3. Click **Edit Bootstrap.ini** and modify using the following information: -``` -[Settings] -Priority=Default + ``` + [Settings] + Priority=Default -[Default] -DeployRoot=\\MDT01\MDTProduction$ -UserDomain=CONTOSO -UserID=MDT_BA -UserPassword=pass@word1 -SkipBDDWelcome=YES -``` + [Default] + DeployRoot=\\MDT01\MDTProduction$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. + 5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings: - - In the **Lite Touch Boot Image Settings** area: + + In the **Lite Touch Boot Image Settings** area: + 1. Image description: MDT Production x86 2. ISO file name: MDT Production x86.iso @@ -430,13 +435,19 @@ SkipBDDWelcome=YES >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. + 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 8. On the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: + + In the **Lite Touch Boot Image Settings** area: 1. Image description: MDT Production x64 2. ISO file name: MDT Production x64.iso + 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. + 11. Click **OK**. >[!NOTE] @@ -451,8 +462,7 @@ The Windows PE tab for the x64 boot image. The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -> ->You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. ### The Bootstrap.ini file @@ -528,32 +538,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: ->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. + +> [!NOTE] +> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). +> +> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. On **MDT01**: 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). + 2. Install DaRT 10 (MSDaRT10.msi) using the default settings. - ![DaRT image](../images/dart.png) + ![DaRT image](../images/dart.png) 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. + 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. + 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. + 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. - ![DaRT selection](../images/mdt-07-fig09.png) + ![DaRT selection](../images/mdt-07-fig09.png) - Selecting the DaRT 10 feature in the deployment share. + Selecting the DaRT 10 feature in the deployment share. 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. + 10. Click **OK**. ### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. + 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. + 2. Use the default options for the Update Deployment Share Wizard. >[!NOTE] @@ -570,12 +592,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati On **MDT01**: 1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**. + 2. Right-click **Boot Images** and select **Add Boot Image**. + 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. -![figure 9](../images/mdt-07-fig10.png) + ![figure 9](../images/mdt-07-fig10.png) -The boot image added to the WDS console. + The boot image added to the WDS console. ### Deploy the Windows 10 client @@ -584,13 +608,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl On **HV01**: 1. Create a virtual machine with the following settings: - 1. Name: PC0005 - 2. Store the virtual machine in a different location: C:\VM - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Network: Must be able to connect to \\MDT01\MDTProduction$ - 6. Hard disk: 60 GB (dynamic disk) - 7. Installation Options: Install an operating system from a network-based installation server + + - Name: PC0005 + - Store the virtual machine in a different location: C:\VM + - Generation: 2 + - Memory: 2048 MB + - Network: Must be able to connect to \\MDT01\MDTProduction$ + - Hard disk: 60 GB (dynamic disk) + - Installation Options: Install an operating system from a network-based installation server + 2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. ![figure 10](../images/mdt-07-fig11.png) @@ -598,15 +624,18 @@ On **HV01**: The initial PXE boot process of PC0005. 3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: **PC0005** - 3. Applications: Select the **Install - Adobe Reader** checkbox. + + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + - Computer Name: **PC0005** + - Applications: Select the **Install - Adobe Reader** checkbox. + 4. Setup now begins and does the following: + 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added application. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. -![pc0005 image1](../images/pc0005-vm.png) + ![pc0005 image1](../images/pc0005-vm.png) ### Application installation @@ -621,12 +650,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo On **MDT01**: 1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. + 2. Select the **Monitoring** node, and wait until you see PC0005. + 3. Double-click PC0005, and review the information. -![figure 11](../images/mdt-07-fig13.png) + ![figure 11](../images/mdt-07-fig13.png) -The Monitoring node, showing the deployment progress of PC0005. + The Monitoring node, showing the deployment progress of PC0005. ### Use information in the Event Viewer @@ -673,15 +704,18 @@ To filter what is being added to the media, you create a selection profile. When On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. + 2. Use the following settings for the New Selection Profile Wizard: - 1. General Settings - - Selection profile name: Windows 10 Offline Media - 2. Folders - 1. Applications / Adobe - 2. Operating Systems / Windows 10 - 3. Out-Of-Box Drivers / WinPE x64 - 4. Out-Of-Box Drivers / Windows 10 x64 - 5. Task Sequences / Windows 10 + + - General Settings + - Selection profile name: Windows 10 Offline Media + + - Folders + - Applications / Adobe + - Operating Systems / Windows 10 + - Out-Of-Box Drivers / WinPE x64 + - Out-Of-Box Drivers / Windows 10 x64 + - Task Sequences / Windows 10 ![offline media](../images/mdt-offline-media.png) @@ -695,10 +729,11 @@ In these steps, you generate offline media from the MDT Production deployment sh >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + 3. Use the following settings for the New Media Wizard: - General Settings - 1. Media path: **D:\\MDTOfflineMedia** - 2. Selection profile: **Windows 10 Offline Media** + - Media path: **D:\\MDTOfflineMedia** + - Selection profile: **Windows 10 Offline Media** ### Configure the offline media @@ -707,16 +742,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi On **MDT01**: 1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. + 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. + 3. In the **General** tab, configure the following: - 1. Clear the Generate x86 boot image check box. - 2. ISO file name: Windows 10 Offline Media.iso + - Clear the Generate x86 boot image check box. + - ISO file name: Windows 10 Offline Media.iso + 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 5. On the **General** sub tab, configure the following settings: - 1. In the **Lite Touch Boot Image Settings** area: - - Image description: MDT Production x64 - 2. In the **Windows PE Customizations** area, set the Scratch space size to 128. + - In the **Lite Touch Boot Image Settings** area: + - Image description: MDT Production x64 + - In the **Windows PE Customizations** area, set the Scratch space size to 128. + 6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + 7. Click **OK**. ### Generate the offline media @@ -726,6 +767,7 @@ You have now configured the offline media deployment share, however the share ha On **MDT01**: 1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. + 2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. ### Create a bootable USB stick @@ -738,10 +780,15 @@ The ISO that you got when updating the offline media item can be burned to a DVD Follow these steps to create a bootable USB stick from the offline media content: 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. + 2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. + 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. + 4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. + 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). + 6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 1d42b159e5..3bf28483bf 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -49,10 +49,13 @@ The process proceeds as follows: 1. Perform one of the following tasks: - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. + 1. Microsoft verifies the KMS host key, and an activation object is created. + 1. Client computers are activated by receiving the activation object from a domain controller during startup. - ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + > [!div class="mx-imgBorder"] + > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) **Figure 10**. The Active Directory-based activation flow @@ -72,7 +75,9 @@ When a reactivation event occurs, the client queries AD DS for the activation o **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. + 1. Launch Server Manager. + 1. Add the Volume Activation Services role, as shown in Figure 11. ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) @@ -101,18 +106,17 @@ When a reactivation event occurs, the client queries AD DS for the activation o ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + **Figure 15**. Choosing how to activate your product + > [!NOTE] > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. - - - - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) - - - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) - - - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) - - - **Figure 15**. Choosing how to activate your product + > + > + > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) + > + > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) + > + > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) 1. After activating the key, click **Commit**, and then click **Close**. @@ -121,15 +125,21 @@ When a reactivation event occurs, the client queries AD DS for the activation o To verify your Active Directory-based activation configuration, complete the following steps: 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. + 1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. + 1. If the computer is not joined to your domain, join it to the domain. + 1. Sign in to the computer. + 1. Open Windows Explorer, right-click **Computer**, and then click **Properties**. + 1. Scroll down to the **Windows activation** section, and verify that this client has been activated. > [!NOTE] > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. -> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool). + > + > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool). ## See also diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 9fb64c43d7..2c46f21b47 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -106,21 +106,29 @@ To resolve this issue: If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. If the device is running Windows 10, version 1809 or later: -1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. -2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: -![Subscription Activation with MFA example 1](images/sa-mfa1.png)
-![Subscription Activation with MFA example 2](images/sa-mfa2.png)
-![Subscription Activation with MFA example 3](images/sa-mfa3.png) +- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. + +- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: + + ![Subscription Activation with MFA example 1](images/sa-mfa1.png)
+ + ![Subscription Activation with MFA example 2](images/sa-mfa2.png)
+ + ![Subscription Activation with MFA example 3](images/sa-mfa3.png) ### Windows 10 Education requirements -1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. -3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. +- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. +- A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. + +- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. + +- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +> [!IMPORTANT] +> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. ## Benefits @@ -132,11 +140,15 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions You can benefit by moving to Windows as an online service in the following ways: -1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. User logon triggers a silent edition upgrade, with no reboot required -3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. -4. Compliance support via seat assignment. -5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. +- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. + +- User logon triggers a silent edition upgrade, with no reboot required. + +- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. + +- Compliance support via seat assignment. + +- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. ## How it works @@ -158,26 +170,35 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
![1903](images/after.png) -Note: -1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). -2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +> [!NOTE] +> +> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +> +> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). ### Scenarios -**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). +#### Scenario #1 + +You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. -**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). +#### Scenario #2 + +You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: -
+```console
 cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+``` The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. -**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. +#### Scenario #3 + +Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. @@ -205,7 +226,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: -
+```console
 @echo off
 FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
 SET "ProductKey=%%A"
@@ -219,18 +240,24 @@ echo No key present
 echo Installing %ProductKey%
 changepk.exe /ProductKey %ProductKey%
 )
-
+``` ### Obtaining an Azure AD license Enterprise Agreement/Software Assurance (EA/SA): + - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). + - The license administrator can assign seats to Azure AD users with the same process that is used for O365. + - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. Microsoft Products & Services Agreements (MPSA): + - Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. + - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. + - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. ### Deploying licenses diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 35853c7fd0..6ebb39c015 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -44,44 +44,60 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + + ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) -> [!NOTE] -> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. + > [!NOTE] + > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) + + ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ### Configure Windows devices to use PIN reset using Group Policy You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. + 2. Edit the Group Policy object from Step 1. + 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. + 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. #### Create a PIN Reset Device configuration profile using Microsoft Intune 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. + 2. Click **Endpoint Security** > **Account Protection** > **Properties**. + 3. Set **Enable PIN recovery** to **Yes**. > [!NOTE] > You can also setup PIN recovery using configuration profiles. > 1. Sign in to Endpoint Manager. +> > 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. +> > 3. Set **Enable PIN recovery** to **Yes**. #### Assign the PIN Reset Device configuration profile using Microsoft Intune 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. + 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. + 3. In the device configuration profile, select **Assignments**. + 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. ## On-premises Deployments @@ -106,10 +122,10 @@ On-premises deployments provide users with the ability to reset forgotten PINs e #### Reset PIN above the Lock Screen - 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in - 2. Enter your password and press enter. - 3. Follow the instructions provided by the provisioning process - 4. When finished, unlock your desktop using your newly created PIN. +1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in +2. Enter your password and press enter. +3. Follow the instructions provided by the provisioning process +4. When finished, unlock your desktop using your newly created PIN. You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 034d227013..2950bc11b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -64,24 +64,36 @@ Follow the instructions for a single entry for each device. This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. #### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center -1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) - - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. - - Select Windows 10 as the operating system. - - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. - - Click **Download package** and save the .zip file. + +1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip). + + 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. + 1. Select Windows 10 as the operating system. + 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. + 1. Click **Download package** and save the .zip file. + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. #### Use Group Policy management console to run the script when the virtual machine starts + 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. + 2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**. + 3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7). + 4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run. + 5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option. + 6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field. + 7. Specify the following:
+ - Action = **Start a program** - Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe` - Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"` + 8. Select **OK** and close any open GPMC windows. ### Scenario 3: Onboarding using management tools diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 072625e781..d5b506f46e 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune ->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. ## Security @@ -172,10 +172,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap To achieve this: 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. + 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. + + > [!IMPORTANT] + > The encryption policy must be assigned to **devices** in the group, not users. + 3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + + > [!IMPORTANT] + > If the ESP is not enabled, the policy will not apply before encryption starts. ### Identity protection @@ -190,7 +196,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). -[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. @@ -204,7 +210,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. + +> [!NOTE] +> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). @@ -277,14 +286,12 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). The following new DISM commands have been added to manage feature updates: - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. +| Command | Description | +|---------|-------------| +| **DISM /Online /Initiate-OSUninstall** | Initiates a OS uninstall to take the computer back to the previous installation of windows. | +| **DISM /Online /Remove-OSUninstall** | Removes the OS uninstall capability from the computer. | +| **DISM /Online /Get-OSUninstallWindow** | Displays the number of days after upgrade during which uninstall can be performed. | +| **DISM /Online /Set-OSUninstallWindow** | Sets the number of days after upgrade during which uninstall can be performed. | For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -300,18 +307,17 @@ For more information, see [Run custom actions during feature update](https://doc It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) New command-line switches are also available to control BitLocker: - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. +| Command | Description | +|---------|-------------| +| **Setup.exe /BitLocker AlwaysSuspend** | Always suspend bitlocker during upgrade. | +| **Setup.exe /BitLocker TryKeepActive** | Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. | +| **Setup.exe /BitLocker ForceKeepActive** | Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. | For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) @@ -332,20 +338,27 @@ SetupDiag works by searching Windows Setup log files. When searching log files, If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! **To enable fast sign-in:** + 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. + 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. + 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](../images/fastsignin.png "fast sign-in") + ![fast sign-in](../images/fastsignin.png "fast sign-in") ### Web sign-in to Windows 10 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). **To try out web sign-in:** + 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). + 2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. + 3. On the lock screen, select web sign-in under sign-in options. + 4. Click the "Sign in" button to continue. ![Web sign-in](../images/websignin.png "web sign-in") @@ -386,7 +399,7 @@ Maintaining devices is made easier with Device Health, a new, premium analytic t ### Accessibility -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post. ### Privacy @@ -433,7 +446,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) + - Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) + - Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). ## Windows Update @@ -564,11 +579,11 @@ Several network stack enhancements are available in this release. Some of these In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). -How it works: +#### How it works Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. -Miracast over Infrastructure offers a number of benefits: +#### Miracast over Infrastructure offers a number of benefits - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. @@ -577,15 +592,18 @@ Miracast over Infrastructure offers a number of benefits: - It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. - It leverages an existing connection which both reduces the time to connect and provides a very stable stream. -Enabling Miracast over Infrastructure: +#### Enabling Miracast over Infrastructure If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. + - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + - The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. + - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. @@ -603,6 +621,7 @@ Azure Active Directory and Active Directory users using Windows Hello for Busine To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. - Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. + - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. See the following example: From 427964fbb7433bf86ba565d971d020b62ba352af Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 4 Mar 2021 21:55:21 -0800 Subject: [PATCH 2/9] Second pass: more fixes and refinements --- .../deploy-a-windows-10-image-using-mdt.md | 133 ++++++++++++------ .../hello-feature-pin-reset.md | 3 +- .../ltsc/whats-new-windows-10-2019.md | 37 +++-- 3 files changed, 116 insertions(+), 57 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 889f6b7bbd..db0ffaf0a2 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -61,18 +61,19 @@ On **DC01**: ``` The following is a list of the permissions being granted: - a. Scope: This object and all descendant objects - b. Create Computer objects - c. Delete Computer objects - d. Scope: Descendant Computer objects - e. Read All Properties - f. Write All Properties - g. Read Permissions - h. Modify Permissions - i. Change Password - j. Reset Password - k. Validated write to DNS host name - l. Validated write to service principal name + +- Scope: This object and all descendant objects +- Create Computer objects +- Delete Computer objects +- Scope: Descendant Computer objects +- Read All Properties +- Write All Properties +- Read Permissions +- Modify Permissions +- Change Password +- Reset Password +- Validated write to DNS host name +- Validated write to service principal name ## Step 2: Set up the MDT production deployment share @@ -85,11 +86,17 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: 1. Ensure you are signed on as: contoso\administrator. + 2. In the **Deployment Workbench** console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. + 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. + 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. + 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. + 7. Using **File Explorer**, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ### Configure permissions for the production deployment share @@ -99,6 +106,7 @@ To read files in the deployment share, you need to assign **NTFS** and **SMB** p On **MDT01**: 1. Ensure you are signed in as **contoso\\administrator**. + 2. Modify the **NTFS** permissions for the **D:\\MDTProduction** folder by running the following command in an elevated **Windows PowerShell prompt**: ``` powershell @@ -115,11 +123,17 @@ The next step is to add a reference image into the deployment share with the set In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on **MDT01**. 1. Using the **Deployment Workbench**, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a **folder** named **Windows 10**. + 2. Right-click the **Windows 10** folder and select **Import Operating System**. + 3. On the **OS Type** page, select **Custom image file** and click **Next**. + 4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. + 5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. + 6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. + 7. After adding the **Operating System**, double-click the added **Operating System** name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. > [!NOTE] @@ -137,19 +151,28 @@ When you configure your **MDT Build Lab deployment** share, you can also add **a On **MDT01**: 1. Download the Enterprise distribution version of [**Adobe Acrobat Reader DC**](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100120140_en_US.exe) to **D:\\setup\\adobe** on MDT01. + 2. Extract the **.exe** file that you downloaded to a **.msi** (ex: .\AcroRdrDC2100120140_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). + 3. In the **Deployment Workbench**, expand the **MDT Production** node and navigate to the **Applications** node. + 4. Right-click the **Applications** node, and create a new folder named **Adobe**. + 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. + 6. On the **Application Type** page, select the **Application with source files** option and click **Next**. + 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**. + 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**. + 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. + 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. -![acroread image](../images/acroread.png) + ![acroread image](../images/acroread.png) -The Adobe Reader application added to the Deployment Workbench. + The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository @@ -174,10 +197,12 @@ On **MDT01**: > In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using **File Explorer**, create the **D:\\drivers** folder. + 2. In the **D:\\drivers** folder, create the following folder structure: - 1. **WinPE x86** - 2. **WinPE x64** - 3. **Windows 10 x64** + - **WinPE x86** + - **WinPE x64** + - **Windows 10 x64** + 3. In the new **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 @@ -195,10 +220,12 @@ On **MDT01**: When you import drivers to the **MDT driver repository**, **MDT** creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. 1. On **MDT01**, using Deployment Workbench, select the **Out-of-Box Drivers** node. + 2. In the **Out-Of-Box Drivers** node, create the following folder structure: - 1. **WinPE x86** - 2. **WinPE x64** - 3. **Windows 10 x64** + - **WinPE x86** + - **WinPE x64** + - **Windows 10 x64** + 3. In the **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 @@ -235,19 +262,22 @@ The drivers that are used for the boot images (Windows PE) are Windows 10 driver On **MDT01**: 1. In the **Deployment Workbench**, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. + 2. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: - 1. Selection Profile name: **WinPE x86** - 2. Folders: Select the **WinPE x86 folder** in **Out-of-Box Drivers**. - 3. Click **Next**, **Next**, and **Finish**. + - Selection Profile name: **WinPE x86** + - Folders: Select the **WinPE x86 folder** in **Out-of-Box Drivers**. + - Click **Next**, **Next**, and **Finish**. + 3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. + 4. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: - 1. Selection Profile name: **WinPE x64** - 2. Folders: Select the **WinPE x64 folder** in **Out-of-Box Drivers**. - 3. Click **Next**, **Next**, and **Finish**. + - Selection Profile name: **WinPE x64** + - Folders: Select the **WinPE x64 folder** in **Out-of-Box Drivers**. + - Click **Next**, **Next**, and **Finish**. -![figure 5](../images/fig5-selectprofile.png) + ![figure 5](../images/fig5-selectprofile.png) -Creating the WinPE x64 selection profile. + Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image @@ -256,9 +286,13 @@ Creating the WinPE x64 selection profile. On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). + 2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. Note that extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. + 3. Using **File Explorer**, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + 4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + 5. In the **Deployment Workbench**, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, select **Import Drivers**, and use the following driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers @@ -277,9 +311,12 @@ In this example, we assume you have downloaded and extracted the drivers using T On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. -2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** -The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. +2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** + + The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 @@ -290,7 +327,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node. -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450** + +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450** ### For the HP EliteBook 8560w @@ -301,7 +341,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** + +2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** ### For the Microsoft Surface Laptop @@ -310,7 +353,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. -2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + +2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** ## Step 6: Create the deployment task sequence @@ -321,17 +367,18 @@ This section will show you how to create the task sequence used to deploy your p On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. + 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: W10-X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - 3. Task sequence comments: Production Image - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image - 6. Specify Product Key: Do not specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: https://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image + - Task sequence comments: Production Image + - Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: https://www.contoso.com + - Admin Password: Do not specify an Administrator Password at this time ### Edit the Windows 10 task sequence diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 6ebb39c015..2e3246f6ed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -60,7 +60,8 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) + > [!div class="mx-imgBorder"] + > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ### Configure Windows devices to use PIN reset using Group Policy diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index d5b506f46e..bbe58c62c1 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -254,7 +254,8 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") +> [!div class="mx-imgBorder"] +> ![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") ## Deployment @@ -286,12 +287,17 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). The following new DISM commands have been added to manage feature updates: -| Command | Description | -|---------|-------------| -| **DISM /Online /Initiate-OSUninstall** | Initiates a OS uninstall to take the computer back to the previous installation of windows. | -| **DISM /Online /Remove-OSUninstall** | Removes the OS uninstall capability from the computer. | -| **DISM /Online /Get-OSUninstallWindow** | Displays the number of days after upgrade during which uninstall can be performed. | -| **DISM /Online /Set-OSUninstallWindow** | Sets the number of days after upgrade during which uninstall can be performed. | +- **DISM /Online /Initiate-OSUninstall** + - Initiates a OS uninstall to take the computer back to the previous installation of windows. + +- **DISM /Online /Remove-OSUninstall** + - Removes the OS uninstall capability from the computer. + +- **DISM /Online /Get-OSUninstallWindow** + - Displays the number of days after upgrade during which uninstall can be performed. + +- **DISM /Online /Set-OSUninstallWindow** + - Sets the number of days after upgrade during which uninstall can be performed. For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -307,17 +313,20 @@ For more information, see [Run custom actions during feature update](https://doc It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` +`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) New command-line switches are also available to control BitLocker: -| Command | Description | -|---------|-------------| -| **Setup.exe /BitLocker AlwaysSuspend** | Always suspend bitlocker during upgrade. | -| **Setup.exe /BitLocker TryKeepActive** | Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. | -| **Setup.exe /BitLocker ForceKeepActive** | Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. | +- **Setup.exe /BitLocker AlwaysSuspend** + - Always suspend bitlocker during upgrade. + +- **Setup.exe /BitLocker TryKeepActive** + - Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + +- **Setup.exe /BitLocker ForceKeepActive** + - Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) @@ -627,7 +636,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up See the following example: ![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") + ![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") + ![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") ## See Also From 3d02739f0d383733a6e49b7a40ec7dfe81a36589 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 4 Mar 2021 22:03:27 -0800 Subject: [PATCH 3/9] Acrolinx: "bitlocker" and "Azure Portal" --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2e3246f6ed..e0b41cbef2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -93,7 +93,7 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput #### Assign the PIN Reset Device configuration profile using Microsoft Intune -1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. +1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index bbe58c62c1..592e559c29 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -320,13 +320,13 @@ For more information, see [Windows Setup Command-Line Options](https://docs.micr New command-line switches are also available to control BitLocker: - **Setup.exe /BitLocker AlwaysSuspend** - - Always suspend bitlocker during upgrade. + - Always suspend BitLocker during upgrade. - **Setup.exe /BitLocker TryKeepActive** - - Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. - **Setup.exe /BitLocker ForceKeepActive** - - Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) From f8093999bc1b2489852fbe933dac4231a9502001 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 5 Mar 2021 07:35:51 -0800 Subject: [PATCH 4/9] Spacing, markup, and missing periods --- .../deploy-a-windows-10-image-using-mdt.md | 62 +++++++++++-------- .../windows-10-subscription-activation.md | 4 +- .../ltsc/whats-new-windows-10-2019.md | 9 +-- 3 files changed, 42 insertions(+), 33 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index db0ffaf0a2..2a53ee6346 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -46,6 +46,7 @@ These steps will show you how to configure an Active Directory account with the On **DC01**: 1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. + 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: ```powershell @@ -383,25 +384,30 @@ On **MDT01**: ### Edit the Windows 10 task sequence 1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set DriverGroup001 - 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% - 2. Configure the **Inject Drivers** action with the following settings: - 1. Choose a selection profile: Nothing - 2. Install all drivers from the selection profile - >[!NOTE] - >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. +2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: + + 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: + - Name: Set DriverGroup001 + - Task Sequence Variable: DriverGroup001 + - Value: Windows 10 x64\\%Make%\\%Model% + + 2. Configure the **Inject Drivers** action with the following settings: + - Choose a selection profile: Nothing + - Install all drivers from the selection profile + + > [!NOTE] + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. + 3. Click **OK**. -![drivergroup](../images/fig6-taskseq.png) + ![drivergroup](../images/fig6-taskseq.png) -The task sequence for production deployment. + The task sequence for production deployment. ## Step 7: Configure the MDT production deployment share @@ -474,12 +480,12 @@ On **MDT01**: In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x86 - 2. ISO file name: MDT Production x86.iso + - Image description: MDT Production x86 + - ISO file name: MDT Production x86.iso - > [!NOTE] - > - >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > [!NOTE] + > + > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. @@ -488,8 +494,9 @@ On **MDT01**: 8. On the **General** sub tab, configure the following settings: In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x64 - 2. ISO file name: MDT Production x64.iso + + - Image description: MDT Production x64 + - ISO file name: MDT Production x64.iso 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. @@ -497,13 +504,12 @@ On **MDT01**: 11. Click **OK**. ->[!NOTE] ->It will take a while for the Deployment Workbench to create the monitoring database and web service. + >[!NOTE] + >It will take a while for the Deployment Workbench to create the monitoring database and web service. + ![figure 8](../images/mdt-07-fig08.png) -![figure 8](../images/mdt-07-fig08.png) - -The Windows PE tab for the x64 boot image. + The Windows PE tab for the x64 boot image. ### The rules explained @@ -514,6 +520,7 @@ You can optionally remove the **UserID** and **UserPassword** entries from Boots ### The Bootstrap.ini file This is the MDT Production Bootstrap.ini: + ``` [Settings] Priority=Default @@ -529,6 +536,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file This is the CustomSettings.ini file with the new join domain information: + ``` [Settings] Priority=Default @@ -734,9 +742,9 @@ On **MDT01**: 3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. 4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. -![figure 13](../images/mdt-07-fig15.png) + ![figure 13](../images/mdt-07-fig15.png) -The newly created multicast namespace. + The newly created multicast namespace. ## Use offline media to deploy Windows 10 @@ -822,7 +830,7 @@ On **MDT01**: The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. +>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 2c46f21b47..8d39946e05 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -121,7 +121,7 @@ If the device is running Windows 10, version 1809 or later: - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -- A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. +- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. @@ -152,7 +152,7 @@ You can benefit by moving to Windows as an online service in the following ways: ## How it works -The device is AAD joined from Settings > Accounts > Access work or school. +The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 592e559c29..456e3466fb 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -328,7 +328,7 @@ New command-line switches are also available to control BitLocker: - **Setup.exe /BitLocker ForceKeepActive** - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33). ### Feature update improvements @@ -426,7 +426,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803). ### OS uninstall period @@ -505,7 +505,7 @@ Added policies include: - [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) - [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). ### Uninstalled in-box apps no longer automatically reinstall @@ -615,7 +615,8 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +> [!IMPORTANT] +> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## Registry editor improvements From 35b35e492b9b89565f59be2fe82f4389062f9f5c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 5 Mar 2021 09:15:55 -0800 Subject: [PATCH 5/9] More improvements for spacing and markup --- .../set-up-shared-or-guest-pc.md | 2 +- .../deploy-a-windows-10-image-using-mdt.md | 5 +++- .../windows-10-subscription-activation.md | 7 +++++ .../ltsc/whats-new-windows-10-2019.md | 26 +++++++++++++++++-- 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index b384589f9d..d84bf41c84 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -228,7 +228,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac * Create exempt accounts before signing out when turning shared pc mode on. * The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the registry key:`HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. + * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. * To add the account SID to the registry key using PowerShell: ```powershell diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 2a53ee6346..ed7461ad5c 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -288,7 +288,10 @@ On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. Note that extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. +2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. + + > [!NOTE] + > Extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. 3. Using **File Explorer**, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 8d39946e05..16a70ae7dc 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each ![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+ - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
+ - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+ - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+ - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+ - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+ - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+ - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. ## Requirements diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 456e3466fb..1fb4dffbde 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -100,24 +100,37 @@ Endpoint detection and response is improved. Enterprise customers can now take a - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: + - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. + - [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. + - [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. + - [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. + - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. + - [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. @@ -192,16 +205,25 @@ Improvements have been added are to Windows Hello for Business and Credential Gu New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include: + - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). + - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. + - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). [Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). + - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). + - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. + - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. + - You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. + - New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. + - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) @@ -288,7 +310,7 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). The following new DISM commands have been added to manage feature updates: - **DISM /Online /Initiate-OSUninstall** - - Initiates a OS uninstall to take the computer back to the previous installation of windows. + - Initiates an OS uninstall to take the computer back to the previous installation of windows. - **DISM /Online /Remove-OSUninstall** - Removes the OS uninstall capability from the computer. From a15119f99d354c12c63811216153f6d2fda15352 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 5 Mar 2021 10:28:17 -0800 Subject: [PATCH 6/9] Spacing and markup --- .../deploy-a-windows-10-image-using-mdt.md | 34 +++++++++---------- .../windows-10-subscription-activation.md | 2 +- .../hello-feature-pin-reset.md | 2 +- ...Onboard-Windows-10-multi-session-device.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 2 +- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index ed7461ad5c..baf64f9c7e 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -61,20 +61,20 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -The following is a list of the permissions being granted: + The following is a list of the permissions being granted: -- Scope: This object and all descendant objects -- Create Computer objects -- Delete Computer objects -- Scope: Descendant Computer objects -- Read All Properties -- Write All Properties -- Read Permissions -- Modify Permissions -- Change Password -- Reset Password -- Validated write to DNS host name -- Validated write to service principal name + - Scope: This object and all descendant objects + - Create Computer objects + - Delete Computer objects + - Scope: Descendant Computer objects + - Read All Properties + - Write All Properties + - Read Permissions + - Modify Permissions + - Change Password + - Reset Password + - Validated write to DNS host name + - Validated write to service principal name ## Step 2: Set up the MDT production deployment share @@ -288,7 +288,7 @@ On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. +2. Extract **PROWinx64.exe** to a temporary folder—in this example to the **C:\\Tmp\\ProWinx64** folder. > [!NOTE] > Extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. @@ -689,9 +689,9 @@ On **HV01**: 4. Setup now begins and does the following: - 1. Installs the Windows 10 Enterprise operating system. - 2. Installs the added application. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. + - Installs the Windows 10 Enterprise operating system. + - Installs the added application. + - Updates the operating system via your local Windows Server Update Services (WSUS) server. ![pc0005 image1](../images/pc0005-vm.png) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 16a70ae7dc..300e9da96e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -21,7 +21,7 @@ ms.topic: article Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. +With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e0b41cbef2..b06b997753 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -131,7 +131,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). > [!NOTE] -> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 2950bc11b8..ea3eb1315c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -45,7 +45,7 @@ Microsoft recommends onboarding Windows Virtual Desktop as a single entry per vi Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. > [!NOTE] -> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. ## Scenarios There are several ways to onboard a WVD host machine: diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 1fb4dffbde..81161b833f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -337,7 +337,7 @@ It is also now possible to run a script if the user rolls back their version of `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21). New command-line switches are also available to control BitLocker: From ca07a12ced0098a6283221399867047cb97ff050 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 5 Mar 2021 10:30:32 -0800 Subject: [PATCH 7/9] Update manage-updates-baselines-microsoft-defender-antivirus.md --- ...tes-baselines-microsoft-defender-antivirus.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index dba7425369..f1e784ee1e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: pahuijbr manager: dansimp -ms.date: 02/12/2021 +ms.date: 03/05/2021 ms.technology: mde --- @@ -408,6 +408,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2103.01 + + Package version: **1.1.2103.01** + Platform version: **4.18.2101.9** + Engine version: **1.17800.5** + Signature version: **1.331.2302.0** + +### Fixes +- None + +### Additional information +- None +
+
1.1.2102.03  Package version: **1.1.2102.03** From 88a20e5872575c3c7934a61968eeff652659eb2a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 5 Mar 2021 10:44:28 -0800 Subject: [PATCH 8/9] Made alt text unique to satisfy build error --- windows/configuration/set-up-shared-or-guest-pc.md | 2 +- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index d84bf41c84..2d7b4b2b66 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -108,7 +108,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. > [!div class="mx-imgBorder"] - > ![Shared PC settings in ICD](images/shared_pc_3.png) + > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 9. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 81161b833f..dd9655ac64 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -660,7 +660,7 @@ See the following example: ![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Initiate a Remote Desktop connection](../images/RDPwBio2.png "Windows Hello personal") ![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") From 746c689f2c5eaed9b293af52cdaf6dc7952e2b40 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 5 Mar 2021 12:02:05 -0800 Subject: [PATCH 9/9] alt text update --- .../mandatory-user-profile.md | 11 +++++------ .../mdm/diagnose-mdm-failures-in-windows-10.md | 18 ++++++------------ 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index b1ce6d51a9..4da406434c 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -16,7 +16,6 @@ ms.topic: article # Create mandatory user profiles **Applies to** - - Windows 10 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. @@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want, > [!TIP] > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > - > ![Microsoft Bing Translator package](images/sysprep-error.png) + > ![Microsoft Bing Translator package error](images/sysprep-error.png) > > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. @@ -89,11 +88,11 @@ Starting in Windows 10 version (2004) Open the Settings app and click on Advance 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of UI](images/copy-to.png) + ![Example of User Profiles UI](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. - ![Example of UI](images/copy-to-change.png) + ![Example of Copy To UI](images/copy-to-change.png) 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone` or the group of users that the profile will be assigned to, click **Check Names**, and then click **OK**. @@ -101,13 +100,13 @@ Starting in Windows 10 version (2004) Open the Settings app and click on Advance - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of UI](images/copy-to-path.png) + ![Example of Copy profile to](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - Optionally, you can check the **Mandatory profile** checkbox. This step is not required but will set permissions that are more restrictive and we recommend doing so. - ![Example of UI](images/copy-to-path.png) + ![Example of Copy To UI with UNC path](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 4f20ca31cd..8909e59d0c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. - ![Access work or school page in Settings](images/diagnose-mdm-failures16.png) + ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. - ![Access work or school page in Settings](images/diagnose-mdm-failures17.png) + ![Access work or school log files](images/diagnose-mdm-failures17.png) 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. @@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches 3. Navigate to the etl file that you got from the device and then open the file. 4. Click **Yes** when prompted to save it to the new log format. - ![prompt](images/diagnose-mdm-failures10.png) + ![event viewer prompt](images/diagnose-mdm-failures10.png) ![diagnose mdm failures](images/diagnose-mdm-failures11.png) 5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. - ![event viewer](images/diagnose-mdm-failures12.png) + ![event viewer actions](images/diagnose-mdm-failures12.png) 6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. - ![event filter](images/diagnose-mdm-failures13.png) + ![event filter for Device Management](images/diagnose-mdm-failures13.png) 7. Now you are ready to start reviewing the logs. - ![event viewer](images/diagnose-mdm-failures14.png) + ![event viewer review logs](images/diagnose-mdm-failures14.png) ## Collect device state data @@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia ```   - - - - - -