* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index e215207ede..ede8f237ec 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -19,10 +19,10 @@ The following table describes articles that address common User State Migration
| Link | Description |
|--- |--- |
-|[Common Issues](usmt-common-issues.md)|Find troubleshooting solutions for common problems in USMT.|
+|[Common Issues](/troubleshoot/windows-client/deployment/usmt-common-issues)|Find troubleshooting solutions for common problems in USMT.|
|[Frequently Asked Questions](usmt-faq.yml)|Find answers to questions about how to use USMT.|
|[Log Files](usmt-log-files.md)|Learn how to enable logging to help you troubleshoot issues in USMT.|
-|[Return Codes](usmt-return-codes.md)|Learn how to use return codes to identify problems in USMT.|
+|[Return Codes](/troubleshoot/windows-client/deployment/usmt-return-codes)|Learn how to use return codes to identify problems in USMT.|
|[USMT Resources](usmt-resources.md)|Find more information and support for using USMT.|
## Related articles
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 9568ca5337..cb67fc466b 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -97,4 +97,4 @@ Some examples of `/extract` commands:
[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
-[Return codes](usmt-return-codes.md)
+[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index b4964f369a..be20a22816 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -6,7 +6,7 @@ manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
-ms.date: 11/01/2022
+ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@@ -53,7 +53,7 @@ This section describes the user data that USMT migrates by default, using the `M
- Favorites
> [!IMPORTANT]
- > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
+ > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
- **Folders from the All Users and Public profiles.** When you specify the `MigUser.xml` file, USMT also migrates the following from the **Public** profile in Windows Vista, Windows 7, Windows 8, or Windows 10:
@@ -78,6 +78,9 @@ This section describes the user data that USMT migrates by default, using the `M
> [!NOTE]
> The asterisk (`*`) stands for zero or more characters.
+ > [!NOTE]
+ > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
+
- **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration.
> [!IMPORTANT]
@@ -206,7 +209,7 @@ When you specify the `MigApp.xml` file, USMT migrates the settings for the follo
## What USMT doesn't migrate
-The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](usmt-common-issues.md).
+The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](/troubleshoot/windows-client/deployment/usmt-common-issues).
### Application settings
@@ -244,7 +247,7 @@ You should also note the following items:
### Start menu layout
-Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-doesnt-migrate-the-start-layout).
+Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
### User profiles from Active Directory to Azure Active Directory
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index 2f004c83ff..60856e7a7e 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -101,4 +101,4 @@ If the `/verify` option indicates that there are corrupted files in the migratio
[UsmtUtils syntax](usmt-utilities.md)
-[Return codes](usmt-return-codes.md)
+[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 1316467395..fbbf1013ee 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -11,12 +11,12 @@ ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
ms.collection: M365-modern-desktop
-ms.date: 10/31/2022
+ms.date: 11/23/2022
---
# Configure VDA for Windows subscription activation
-Applies to:
+*Applies to:*
- Windows 10
- Windows 11
@@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
## Active Directory-joined VMs
1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
-2. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
+
+2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+ REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
-3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+3. At an elevated command prompt, enter **sysdm.cpl**.
+
4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
-5. Select **Add**, type **Authenticated users**, and then select **OK** three times.
+
+5. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
+
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again.
+
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8.
1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
- 1. Open Windows Configuration Designer and select **Provision desktop services**.
- 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+ 2. Open Windows Configuration Designer and select **Provision desktop services**.
+
+ 3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
> [!NOTE]
> You can use a different project name, but this name is also used with dism.exe in a later step.
- 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
- 1. On the Set up network page, choose **Off**.
- 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+ 4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+
+ 5. On the Set up network page, choose **Off**.
+
+ 6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
> [!NOTE]
> This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
- 1. On the Add applications page, add applications if desired. This step is optional.
- 1. On the Add certificates page, add certificates if desired. This step is optional.
- 1. On the Finish page, select **Create**.
- 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
- 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
+ 7. On the Add applications page, add applications if desired. This step is optional.
+
+ 8. On the Add certificates page, add certificates if desired. This step is optional.
+
+ 9. On the Finish page, select **Create**.
+
+ 10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
+
+ 11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
```cmd
Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
```
- 1. Right-click the mounted image in file explorer and select **Eject**.
+ 12. Right-click the mounted image in file explorer and select **Eject**.
8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
@@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
-- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+
- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+
- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
+
- When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
## Azure Gallery VMs
-1. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
+1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
```cmd
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+ REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
-2. At an elevated command prompt, type `sysdm.cpl` and press ENTER.
+2. At an elevated command prompt, enter `sysdm.cpl`.
+
3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
-4. Select **Add**, type **Authenticated users**, and then select **OK** three times.
+
+4. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
+
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+
6. Open Windows Configuration Designer and select **Provision desktop services**.
+
7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
- 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
- 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
-8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+ 1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+ 2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+
+8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
+
9. On the Set up network page, choose **Off**.
+
10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+
11. On the Add applications page, add applications if desired. This step is optional.
+
12. On the Add certificates page, add certificates if desired. This step is optional.
+
13. On the Finish page, select **Create**.
+
14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system.
> [!NOTE]
@@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
## Create custom RDP settings for Azure
1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
+
2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it.
+
3. Close the Remote Desktop Connection window and open Notepad.
+
4. Open the RDP file in Notepad to edit it.
+
5. Enter or replace the line that specifies authentication level with the following two lines of text:
```text
@@ -162,4 +196,4 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
-[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
\ No newline at end of file
+[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index dfab934f9d..c0fe80dccc 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -8,14 +8,15 @@ ms.author: frankroj
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows Deployment Services (WDS) boot.wim support
-Applies to:
-- Windows 10
+*Applies to:*
+
+- Windows 10
- Windows 11
The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported.
@@ -38,7 +39,7 @@ The table below provides support details for specific deployment scenarios (Boot
## Reason for the change
-Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
## Not affected
@@ -53,7 +54,7 @@ You can still run Windows Setup from a network share. Workflows that use a custo
- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
- Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
-If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
+If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
## Also see
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index d7d8c65cc3..677807d5c7 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -9,13 +9,14 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: reference
-ms.date: 10/31/2022
+ms.date: 11/23/2022
---
# Windows 10 deployment process posters
-**Applies to**
-- Windows 10
+*Applies to:*
+
+- Windows 10
The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager.
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 4627e3d824..18e44ca25b 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -7,15 +7,15 @@ author: frankroj
ms.prod: windows-client
ms.localizationpriority: medium
ms.topic: article
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Windows 10 deployment scenarios
-**Applies to**
+*Applies to:*
-- Windows 10
+- Windows 10
To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
@@ -55,9 +55,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
|[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
|[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
->[!IMPORTANT]
->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
+> [!IMPORTANT]
+> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.
+> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
## Modern deployment methods
@@ -86,19 +86,19 @@ Scenarios that support in-place upgrade with some other procedures include chang
- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
-- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
+ - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+ - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
-- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
-- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
-- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
+- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
-- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
+- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
## Dynamic provisioning
@@ -106,7 +106,7 @@ For new PCs, organizations have historically replaced the version of Windows inc
The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
-### Windows 10 Subscription Activation
+### Windows 10 Subscription Activation
Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
@@ -122,17 +122,17 @@ These scenarios can be used to enable "choose your own device" (CYOD) programs.
While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
-## Traditional deployment:
+## Traditional deployment
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
-- **New computer.** A bare-metal deployment of a new machine.
-- **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
-- **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
+- **New computer**: A bare-metal deployment of a new machine.
+- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
### New computer
@@ -140,13 +140,13 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan
The deployment process for the new machine scenario is as follows:
-1. Start the setup from boot media (CD, USB, ISO, or PXE).
+1. Start the setup from boot media (CD, USB, ISO, or PXE).
-2. Wipe the hard disk clean and create new volume(s).
+2. Wipe the hard disk clean and create new volume(s).
-3. Install the operating system image.
+3. Install the operating system image.
-4. Install other applications (as part of the task sequence).
+4. Install other applications (as part of the task sequence).
After you follow these steps, the computer is ready for use.
@@ -156,17 +156,17 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i
The deployment process for the wipe-and-load scenario is as follows:
-1. Start the setup on a running operating system.
+1. Start the setup on a running operating system.
-2. Save the user state locally.
+2. Save the user state locally.
-3. Wipe the hard disk clean (except for the folder containing the backup).
+3. Wipe the hard disk clean (except for the folder containing the backup).
-4. Install the operating system image.
+4. Install the operating system image.
-5. Install other applications.
+5. Install other applications.
-6. Restore the user state.
+6. Restore the user state.
After you follow these steps, the machine is ready for use.
@@ -176,9 +176,9 @@ A computer replace is similar to the refresh scenario. However, since we're repl
The deployment process for the replace scenario is as follows:
-1. Save the user state (data and settings) on the server through a backup job on the running operating system.
+1. Save the user state (data and settings) on the server through a backup job on the running operating system.
-2. Deploy the new computer as a bare-metal deployment.
+2. Deploy the new computer as a bare-metal deployment.
> [!NOTE]
> In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 67864fbe6c..972ef1adaf 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -3,7 +3,7 @@ title: Windows 10/11 Enterprise E3 in CSP
description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
ms.prod: windows-client
ms.localizationpriority: medium
-ms.date: 10/31/2022
+ms.date: 11/23/2022
author: frankroj
ms.author: frankroj
manager: aaroncz
@@ -15,16 +15,17 @@ ms.technology: itpro-deploy
# Windows 10/11 Enterprise E3 in CSP
-Applies to:
+*Applies to:*
+
- Windows 10
- Windows 11
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
-- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
-- Azure Active Directory (Azure AD) available for identity management
+- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
+- Azure Active Directory (Azure AD) available for identity management
You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
@@ -32,22 +33,22 @@ Previously, only organizations with a Microsoft Volume Licensing Agreement could
When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
-- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
-- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
-- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
-- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
-- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
-- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
+- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
+- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
+- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
+- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
+- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
-- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
-- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
+- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
+- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
- - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
- - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
- - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
- - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
+ - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
+ - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
+ - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
+ - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
@@ -60,15 +61,15 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin
Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
-*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
+### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
|Feature|Description|
|--- |--- |
-|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.Credential Guard has the following features:
**Hardware-level security**. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.**Virtualization-based security**. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.**Improved protection against persistent threats**. Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.**Improved manageability**. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).
*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
Device Guard protects in the following ways:
Helps protect against malwareHelps protect the Windows system core from vulnerability and zero-day exploitsAllows only trusted apps to runFor more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
-|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
-|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
-|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.
When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
UE-V provides the following features:
Specify which application and Windows settings synchronize across user devicesDeliver the settings anytime and anywhere users work throughout the enterpriseCreate custom templates for your third-party or line-of-business applicationsRecover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial stateFor more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
+|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
Credential Guard has the following features:
**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.
For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).
*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
+|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.
Device Guard protects in the following ways:Helps protect against malwareHelps protect the Windows system core from vulnerability and zero-day exploitsAllows only trusted apps to run
For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
+|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
+|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.
For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
+|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.
When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
UE-V provides the following features:Specify which application and Windows settings synchronize across user devicesDeliver the settings anytime and anywhere users work throughout the enterpriseCreate custom templates for your third-party or line-of-business applicationsRecover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state
For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commandsRemoving Log Off (the User tile) from the Start menuRemoving frequent programs from the Start menuRemoving the All Programs list from the Start menuPreventing users from customizing their Start screenForcing Start menu to be either full-screen size or menu sizePreventing changes to Taskbar and Start menu settings|
## Deployment of Windows 10/11 Enterprise E3 licenses
@@ -88,41 +89,39 @@ The following sections provide you with the high-level tasks that need to be per
You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
-- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
+- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
-- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
+- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
- - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
+ - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
- - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+ - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
For more information about implementing Credential Guard, see the following resources:
-- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
-- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
-- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
-
-
+- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
+- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
### Device Guard
Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
-1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
+1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
-2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
+2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
-3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
-4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
+4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
-5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
+5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
-6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
+6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
-7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
+7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
For more information about implementing Device Guard, see:
@@ -139,19 +138,20 @@ For more information about AppLocker management by using Group Policy, see [AppL
App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
-- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
+- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
-- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
+- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
-- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
+- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
-- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
-- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
-- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
+- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
+- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
+- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
### UE-V
+
UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
@@ -174,16 +174,16 @@ For more information about deploying UE-V, see the following resources:
The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
-*Table 2. Managed User Experience features*
+#### Table 2. Managed User Experience features
| Feature | Description |
|------------------|-----------------|
| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
-| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
-| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
-| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
-| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
-| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
+| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.
For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
+| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
+| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
+| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
+| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
## Related articles
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 6668d42e52..66d08877b8 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -3,7 +3,7 @@ title: Windows 10 volume license media
description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
ms.prod: windows-client
ms.localizationpriority: medium
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@@ -14,9 +14,9 @@ ms.technology: itpro-deploy
# Windows 10 volume license media
-**Applies to**
+*Applies to:*
-- Windows 10
+- Windows 10
With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
@@ -29,7 +29,7 @@ When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Ed
> [!NOTE]
> If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
-Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
+Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
### Language packs
@@ -47,4 +47,4 @@ Features on demand is a method for adding features to your Windows 10 image that
[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
-
[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
\ No newline at end of file
+
[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index 3c0da5a490..364c23a213 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -7,12 +7,12 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: article
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# How to install fonts that are missing after upgrading to Windows client
-**Applies to**
+*Applies to:*
- Windows 10
- Windows 11
@@ -36,7 +36,7 @@ For example, if you've an English, French, German, or Spanish version of Windows
If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases.
-## Installing language-associated features via language settings:
+## Installing language-associated features via language settings
If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app.
@@ -57,7 +57,7 @@ Once you've added Hebrew to your language list, then the optional Hebrew font fe
> [!NOTE]
> The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
-## Install optional fonts manually without changing language settings:
+## Install optional fonts manually without changing language settings
If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 89f8d25fe4..3741412fbb 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -3,7 +3,7 @@ title: Step by step - Deploy Windows 10 in a test lab using MDT
description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
ms.prod: windows-client
ms.localizationpriority: medium
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@@ -14,23 +14,26 @@ ms.technology: itpro-deploy
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
-**Applies to**
+*Applies to:*
-- Windows 10
+- Windows 10
> [!IMPORTANT]
-> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
+>
+> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+>
+> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
+>
+> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
-This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
+This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
## In this guide
@@ -50,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es
## About MDT
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
+
- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
+
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
## Install MDT
@@ -80,11 +86,12 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
A reference image serves as the foundation for Windows 10 devices in your organization.
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
+
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
@@ -108,7 +115,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-10. Use the following settings for the Import Operating System Wizard:
+10. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**
- Source: **D:\\**
- Destination: **W10Ent_x64**
@@ -119,6 +126,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
- Task sequence ID: **REFW10X64-001**
- Task sequence name: **Windows 10 Enterprise x64 Default Image**
- Task sequence comments: **Reference Build**
@@ -143,7 +151,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-
+
> [!NOTE]
> Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
@@ -153,7 +161,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
20. Replace the default rules with the following text:
- ```text
+ ```ini
[Settings]
Priority=Default
@@ -188,7 +196,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
- ```text
+ ```ini
[Settings]
Priority=Default
@@ -211,7 +219,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@@ -221,21 +229,21 @@ A reference image serves as the foundation for Windows 10 devices in your organi
vmconnect localhost REFW10X64-001
```
- The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
+ The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
- Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+ Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
- - Install the Windows 10 Enterprise operating system.
- - Install added applications, roles, and features.
- - Update the operating system using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
+ - Install the Windows 10 Enterprise operating system.
+ - Install added applications, roles, and features.
+ - Update the operating system using Windows Update (or WSUS if optionally specified).
+ - Stage Windows PE on the local disk.
+ - Run System Preparation (Sysprep) and reboot into Windows PE.
+ - Capture the installation to a Windows Imaging (WIM) file.
+ - Turn off the virtual machine.
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
@@ -244,6 +252,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
+
- **Deployment share path**: C:\MDTProd
- **Share name**: MDTProd$
- **Deployment share description**: MDT Production
@@ -259,7 +268,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
+7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
@@ -274,6 +283,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 Custom Image
- Task sequence comments: Production Image
@@ -282,22 +292,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
- Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- - Internet Explorer home page: http://www.contoso.com
- - Admin Password: pass@word1
-
+ - Internet Explorer home page: `http://www.contoso.com`
+ - Admin Password: pass@word1
+
### Configure the MDT production deployment share
-1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
```powershell
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
- ```
+ ```
+
2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
- ```text
+ ```ini
[Settings]
Priority=Default
@@ -341,13 +352,13 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
- ```console
+ ```cmd
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following line:
- ```console
+ ```cmd
ScanStateArgs=/all
```
@@ -355,7 +366,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
- ```text
+ ```ini
[Settings]
Priority=Default
@@ -367,7 +378,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
SkipBDDWelcome=YES
```
-5. Select **OK** when finished.
+5. Select **OK** when finished.
### Update the deployment share
@@ -391,9 +402,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
- ```powershell
- WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
- WDSUTIL /Set-Server /AnswerClients:All
+ ```cmd
+ WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
+ WDSUTIL.exe /Set-Server /AnswerClients:All
```
2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
@@ -404,12 +415,12 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
### Deploy the client image
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
+1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
> [!NOTE]
- > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
+ > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
- Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
+ Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@@ -417,7 +428,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
>Wait until the disable-netadapter command completes before proceeding.
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
+2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@@ -437,7 +448,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
```powershell
Enable-NetAdapter "Ethernet 2"
@@ -453,7 +464,7 @@ This completes the demonstration of how to deploy a reference image to the netwo
## Refresh a computer with Windows 10
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
+This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
1. If the PC1 VM isn't already running, then start and connect to it:
@@ -462,7 +473,7 @@ This section will demonstrate how to export user data from an existing client co
vmconnect localhost PC1
```
-2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and performing additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
@@ -472,10 +483,10 @@ This section will demonstrate how to export user data from an existing client co
Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
-4. Open an elevated command prompt on PC1 and type the following command:
+4. Open an elevated command prompt on PC1 and enter the following command:
- ```console
- cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+ ```cmd
+ cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
> [!NOTE]
@@ -498,13 +509,13 @@ This section will demonstrate how to export user data from an existing client co
8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
-9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
-10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
@@ -516,15 +527,18 @@ This section will demonstrate how to export user data from an existing client co
## Replace a computer with Windows 10
-At a high level, the computer replace process consists of:
+At a high level, the computer replace process consists of:
+
- A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.
- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
### Create a backup-only task sequence
1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
+
2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
-3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -Path C:\MigData -ItemType directory
@@ -533,45 +547,56 @@ At a high level, the computer replace process consists of:
```
4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
+
5. Name the new folder **Other**, and complete the wizard using default options.
+
6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
+
- **Task sequence ID**: REPLACE-001
- **Task sequence name**: Backup Only Task Sequence
- **Task sequence comments**: Run USMT to back up user data and settings
- **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
+
7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
-8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
+
+8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
### Run the backup-only task sequence
-1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
+1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
- ```console
- whoami
+ ```cmd
+ whoami.exe
```
-2. To ensure a clean environment before running the backup task sequence, type the following commands at an elevated Windows PowerShell prompt on PC1:
+
+2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
Remove-Item c:\minint -recurse
Remove-Item c:\_SMSTaskSequence -recurse
Restart-Computer
```
-3. Sign in to PC1 using the contoso\administrator account, and then type the following command at an elevated command prompt:
- ```console
- cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
+
+ ```cmd
+ cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
4. Complete the deployment wizard using the following settings:
+
- **Task Sequence**: Backup Only Task Sequence
- **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
- **Computer Backup**: Don't back up the existing computer.
+
5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
+
6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
+
7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
- ```powershell
- PS C:\> dir C:\MigData\PC1\USMT
+ ```cmd
+ dir C:\MigData\PC1\USMT
Directory: C:\MigData\PC1\USMT
@@ -580,16 +605,16 @@ At a high level, the computer replace process consists of:
-a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
```
-### Deploy PC3
+### Deploy PC3
-1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
```powershell
New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
```
-2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
+2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Disable-NetAdapter "Ethernet 2" -Confirm:$false
@@ -628,6 +653,7 @@ At a high level, the computer replace process consists of:
## Troubleshooting logs, events, and utilities
Deployment logs are available on the client computer in the following locations:
+
- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
- After deployment: %WINDIR%\TEMP\DeploymentLogs
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index c33a3b8242..46c6a2b39c 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -9,16 +9,16 @@ manager: aaroncz
ms.author: frankroj
author: frankroj
ms.topic: tutorial
-ms.date: 10/31/2022
+ms.date: 11/23/2022
---
# Deploy Windows 10 in a test lab using Configuration Manager
-*Applies to*
+*Applies to:*
- Windows 10
-> [!Important]
+> [!IMPORTANT]
> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
>
> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
@@ -59,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate
## Install prerequisites
-1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
@@ -69,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
> If the request to add features fails, retry the installation by typing the command again.
2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
@@ -77,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate
This command mounts the .ISO file to drive D on SRV1.
-4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
+4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
- ```powershell
+ ```cmd
D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
```
Installation will take several minutes. When installation is complete, the following output will be displayed:
- ```dos
+ ```console
Microsoft (R) SQL Server 2014 12.00.5000.00
Copyright (c) Microsoft Corporation. All rights reserved.
@@ -99,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate
Success
One or more affected files have operations pending.
You should restart your computer to complete this process.
- PS C:\>
```
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
@@ -124,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate
Stop-Process -Name Explorer
```
-1. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
+2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
-1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
-1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
- ```dos
+ ```powershell
Get-Service Winmgmt
Status Name DisplayName
@@ -157,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate
If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
-1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
- ```powershell
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
+ ```cmd
+ C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
```
-1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1:
- ```dos
+ ```cmd
adsiedit.msc
```
-1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
-1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
-1. Select **container** and then select **Next**.
-1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**.
-1. Right-click **CN=system Management** and then select **Properties**.
-1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
-1. Under **Enter the object names to select**, type **SRV1** and select **OK**.
-1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
-1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
-1. Close the ADSI Edit console and switch back to SRV1.
-1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
- ```powershell
- cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
+8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
+
+9. Select **container** and then select **Next**.
+
+10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**.
+
+11. Right-click **CN=system Management** and then select **Properties**.
+
+12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
+
+13. Under **Enter the object names to select**, enter **SRV1** and select **OK**.
+
+14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+
+15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
+
+16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
+
+17. Close the ADSI Edit console and switch back to SRV1.
+
+18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1:
+
+ ```cmd
+ C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
-1. Provide the following information in the Configuration Manager Setup Wizard:
+19. Provide the following information in the Configuration Manager Setup Wizard:
+
- **Before You Begin**: Read the text and select *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- Select **Yes** in response to the popup window.
@@ -206,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate
Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
-1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
```powershell
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
@@ -217,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate
> [!IMPORTANT]
> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
-2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
+2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
```
-3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+3. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
- ```powershell
- cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
+ ```cmd
+ D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi
```
4. Install DaRT 10 using default settings.
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
@@ -247,7 +264,7 @@ This section contains several procedures to support Zero Touch installation with
### Create a folder structure
-1. Type the following commands at a Windows PowerShell prompt on SRV1:
+1. Enter the following commands at a Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
@@ -262,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with
### Enable MDT ConfigMgr integration
-1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**.
-2. Type `PS1` as the **Site code**, and then select **Next**.
+1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**.
+
+2. Enter `PS1` as the **Site code**, and then select **Next**.
+
3. Verify **The process completed successfully** is displayed, and then select **Finish**.
### Configure client settings
-1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
+1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
+
2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
+
3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
+
4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
+
5. In the display pane, double-click **Default Client Settings**.
-6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**.
+
+6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**.
### Configure the network access account
1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
+
2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
+
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
+
4. Select the yellow starburst and then select **New Account**.
-5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**.
-6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice.
+
+5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**.
+
+6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice.
### Configure a boundary group
1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
-2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
+
+2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
+
3. Choose **Default-First-Site-Name** and then select **OK** twice.
+
4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
-5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
+
+5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
+
6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
+
7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
### Add the state migration point role
1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
+
2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
+
+3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**.
+
4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
+
5. Select **Next** twice and then select **Close**.
### Enable PXE on the distribution point
> [!IMPORTANT]
-> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
+> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-```powershell
-WDSUTIL /Set-Server /AnswerClients:None
+```cmd
+WDSUTIL.exe /Set-Server /AnswerClients:None
```
-1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
(Get-NetAdapter "Ethernet").MacAddress
@@ -321,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None
> If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
+
3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
+
4. On the PXE tab, select the following settings:
+
- **Enable PXE support for clients**. Select **Yes** in the popup that appears.
- **Allow this distribution point to respond to incoming PXE requests**
- **Enable unknown computer support**. Select **OK** in the popup that appears.
@@ -334,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None
5. Select **OK**.
-6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
- ```powershell
- cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+ ```cmd
+ dir /b C:\RemoteInstall\SMSBoot\x64
abortpxe.com
bootmgfw.efi
@@ -349,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None
```
> [!NOTE]
- > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
+ > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
>
- > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+ > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
>
- > ```powershell
- > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+ > ```cmd
+ > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe"
> ```
>
> The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
@@ -366,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a branding image file
1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
+
+2. Enter the following command at an elevated Windows PowerShell prompt:
```powershell
Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
@@ -378,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None
### Create a boot image for Configuration Manager
1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
+
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
+
- The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**.
+
+3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**.
+
4. On the Options page, under **Platform** choose **x64**, and select **Next**.
+
5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
+
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
+
7. Select **Finish**.
+
8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
+
9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1:
```powershell
Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
@@ -400,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+
12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
+
13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
+
14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
- ```console
- cmd /c dir /s /b C:\RemoteInstall\SMSImages
+ ```cmd
+ dir /s /b C:\RemoteInstall\SMSImages
C:\RemoteInstall\SMSImages\PS100004
C:\RemoteInstall\SMSImages\PS100005
@@ -422,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None
If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
```powershell
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
-1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**.
-1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-1. Use the following settings for the New Deployment Share Wizard:
+5. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**
- Share name: **MDTBuildLab$**
- Deployment share description: **MDT build lab**
@@ -443,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Progress: settings will be applied
- Confirmation: Select **Finish**
-1. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
+7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
-1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
+8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-1. Use the following settings for the Import Operating System Wizard:
+9. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**
- Source: **D:\\**
- Destination: **W10Ent_x64**
- Summary: Select **Next**
- Confirmation: Select **Finish**
-1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
+10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
+
+11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
- Task sequence name: **Windows 10 Enterprise x64 Default Image**
- Task sequence comments: **Reference Build**
@@ -467,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- - Internet Explorer home page: **http://www.contoso.com**
+ - Internet Explorer home page: **`http://www.contoso.com`**
- Admin Password: **Do not specify an Administrator password at this time**
- Summary: Select **Next**
- Confirmation: Select **Finish**
-1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
+13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
-1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
+14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
-1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
+15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
-1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
+16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
-1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
> [!NOTE]
> Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
-1. Select **OK** to complete editing the task sequence.
+18. Select **OK** to complete editing the task sequence.
-1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
+19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
-1. Replace the default rules with the following text:
+20. Replace the default rules with the following text:
```ini
[Settings]
@@ -526,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipFinalSummary=NO
```
-1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```ini
[Settings]
@@ -540,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
SkipBDDWelcome=YES
```
-1. Select **OK** to complete the configuration of the deployment share.
+22. Select **OK** to complete the configuration of the deployment share.
-1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
+23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
-1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
+24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
-1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
> [!TIP]
> To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
-1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
```powershell
New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@@ -561,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
vmconnect localhost REFW10X64-001
```
-1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
-1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
+28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
@@ -579,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Add a Windows 10 OS image
-1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
```powershell
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
@@ -588,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
-3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
+3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
-4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
+4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
@@ -610,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
-3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
+3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
4. On the Details page, enter the following settings:
+
- Join a domain: **contoso.com**
- Account: Select **Set**
- User name: **contoso\CM_JD**
@@ -632,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**.
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
-8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**.
+8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**.
9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**.
@@ -644,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**.
-13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
+13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
-14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**.
+14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**.
15. On the Sysprep Package page, select **Next** twice.
@@ -663,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**.
5. Configure this **Request State Store** step with the following settings:
+
- Request state storage location to: **Restore state from another computer**
- Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
- Options tab: Select the **Continue on error** checkbox.
@@ -676,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**.
7. Configure this **Release State Store** step with the following settings:
+
- Options tab: Select the **Continue on error** checkbox.
- Add Condition: **Task Sequence Variable**:
- Variable: **USMTLOCAL**
@@ -704,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
-5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+5. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
- ```powershell
- notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
+ ```cmd
+ notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
```
6. Replace the contents of the file with the following text, and then save the file:
@@ -735,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
> OSDMigrateAdditionalCaptureOptions=/all
> ```
-7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
+7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
-8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
+8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
@@ -745,7 +806,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
### Create a deployment for the task sequence
-1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
+1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**.
@@ -761,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings.
-1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@@ -776,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
-5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
+5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure.
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
@@ -796,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment.
11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
+
- Install Windows 10
- Install the Configuration Manager client and hotfix
- Join the computer to the contoso.com domain
@@ -803,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
-13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
+13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
14. Shut down the PC4 VM.
@@ -821,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Create a replace task sequence
-1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
+1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**.
-3. On the General page, type the following information:
+3. On the General page, enter the following information:
+
- Task sequence name: **Replace Task Sequence**
- Task sequence comments: **USMT backup only**
4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue.
+
5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue.
+
6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue.
+
7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue.
+
8. On the Summary page, review the details and then select **Next**.
+
9. On the Confirmation page, select **Finish**.
> [!NOTE]
@@ -841,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
### Deploy PC4
-Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@@ -856,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
-1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
-1. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
-1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
-1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
-1. When a popup dialog box asks if you want to run full discovery, select **Yes**.
-1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
+3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
+
+4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
+
+5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
+
+6. When a popup dialog box asks if you want to run full discovery, select **Yes**.
+
+7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
> [!TIP]
> If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console.
The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next.
-1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
+8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
> [!Note]
- > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt.
+ > This command requires an elevated command prompt, not an elevated Windows PowerShell prompt.
- ```dos
- sc stop ccmsetup
+ ```cmd
+ sc.exe stop ccmsetup
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
> [!NOTE]
> If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
-1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
+9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter:
- ```dos
- net stop wuauserv
- net stop BITS
+ ```cmd
+ net.exe stop wuauserv
+ net.exe stop BITS
```
- Verify that both services were stopped successfully, then type the following command at an elevated command prompt:
+ Verify that both services were stopped successfully, then enter the following command at an elevated command prompt:
- ```dos
+ ```cmd
del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
- net start BITS
- bitsadmin /list /allusers
+ net.exe start BITS
+ bitsadmin.exe /list /allusers
```
Verify that BITSAdmin displays zero jobs.
-1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt:
+10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt:
- ```dos
+ ```cmd
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
```
-1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
-1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
+11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+
+12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress:
```powershell
Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
@@ -918,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
-1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
+13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
- ```dos
- control smscfgrc
+ ```cmd
+ control.exe smscfgrc
```
-1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
+14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
-1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
+15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
-1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
+16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
@@ -941,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection and deployment
-1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
+1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
+
- General > Name: **Install Windows 10 Enterprise x64**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@@ -956,7 +1030,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
-4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
+4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
5. Use the following settings in the Deploy Software wizard:
- General > Collection: Select Browse and select **Install Windows 10 Enterprise x64**
@@ -971,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Associate PC4 with PC1
-1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**.
+1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**.
2. On the Select Source page, choose **Import single computer** and select **Next**.
3. On the Single Computer page, use the following settings:
+
- Computer Name: **PC4**
- MAC Address: **00:15:5D:83:26:FF**
- - Source Computer: \
+ - Source Computer: \
4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**.
-5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice.
+5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice.
6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**.
-8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
+8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**.
9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**.
@@ -1000,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
### Create a device collection for PC1
-1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
+1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
2. Use the following settings in the **Create Device Collection Wizard**:
+
- General > Name: **USMT Backup (Replace)**
- General > Limiting collection: **All Systems**
- Membership Rules > Add Rule: **Direct Rule**
@@ -1032,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und
1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt:
- ```dos
- control smscfgrc
+ ```cmd
+ control.exe smscfgrc
```
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
-3. Type the following command at an elevated command prompt to open the Software Center:
+3. Enter the following command at an elevated command prompt to open the Software Center:
- ```dos
+ ```cmd
C:\Windows\CCM\SCClient.exe
```
@@ -1052,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und
> If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**.
+
6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
### Deploy the new computer
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Start-VM PC4
vmconnect localhost PC4
```
-1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
-1. Choose the **Windows 10 Enterprise X64** image.
-1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
-1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
+2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
+
+3. Choose the **Windows 10 Enterprise X64** image.
+
+4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
+
+5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
> [!Note]
> The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs.
- To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+ To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```powershell
Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
@@ -1083,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und
### Initiate the computer refresh
-1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+
2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box.
+
3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**.
+
4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example:
- The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
+ The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed. See the following example:
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 376a7ff9c4..0998486d71 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -9,12 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-deploy
ms.localizationpriority: medium
ms.topic: tutorial
-ms.date: 10/31/2022
+ms.date: 11/23/2022
---
# Step by step guide: Configure a test lab to deploy Windows 10
-*Applies to*
+*Applies to:*
- Windows 10
@@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
- **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+
- **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
Hardware requirements are displayed below:
@@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram:
- Computer 1 is configured to host four VMs on a private, PoC network.
+
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+
- Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
> [!NOTE]
@@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
- ```console
- C:\>systeminfo
+ ```cmd
+ C:\>systeminfo.exe
...
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
@@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
- ```console
- C:\>coreinfo -v
+ ```cmd
+ C:\>coreinfo.exe -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
Copyright (C) 2008-2014 Mark Russinovich
@@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
The following example displays the procedures described in this section, both before and after downloading files:
- ```console
+ ```cmd
C:>mkdir VHD
C:>cd VHD
C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
@@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf
If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
+1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
+
+ > [!NOTE]
+ > The above link may not be available in all locales.
+
2. Under **Virtual machine**, choose **IE11 on Win7**.
+
3. Under **Select platform**, choose **HyperV (Windows)**.
+
4. Select **Download .zip**. The download is 3.31 GB.
+
5. Extract the zip file. Three directories are created.
+
6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
+
7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
+
8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
If you have a PC available to convert to VM (computer 2):
@@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2):
> The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
+
3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
#### Determine the VM generation and partition type
@@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
+
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
```powershell
@@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
```powershell
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@@ -276,7 +291,7 @@ USER-PC1 Disk #0, Partition #1 GPT
On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
```powershell
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
---------- ------- ----
@@ -293,34 +308,32 @@ Number Friendly Name OperationalStatus Tota
0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
```
-
-
-**Choosing a VM generation**
+##### Choosing a VM generation
The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-**Windows 7 MBR**
+###### Windows 7 MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-**Windows 7 GPT**
+###### Windows 7 GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|N/A|N/A|
|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
-**Windows 8 or later MBR**
+###### Windows 8 or later MBR
|Architecture|VM generation|Procedure|
|--- |--- |--- |
|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-**Windows 8 or later GPT**
+###### Windows 8 or later GPT
|Architecture|VM generation|Procedure|
|--- |--- |--- |
@@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
> [!IMPORTANT]
- > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+ > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
@@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
- ```console
- mountvol s: /s
+ ```cmd
+ mountvol.exe s: /s
```
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+
4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
> [!IMPORTANT]
@@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
- ```console
+ ```cmd
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
> [!NOTE]
@@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
> [!NOTE]
> The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
-5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
+5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
To create a generation 1 VM (using c:\vhd\w7.vhdx):
@@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The VM will automatically boot into Windows Setup. In the PC1 window:
1. Select **Next**.
+
2. Select **Repair your computer**.
+
3. Select **Troubleshoot**.
+
4. Select **Command Prompt**.
+
5. Type the following command to save an image of the OS drive:
- ```console
- dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+ ```cmd
+ dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
```
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
- ```console
- diskpart
+ ```cmd
+ diskpart.exe
select disk 0
clean
convert MBR
@@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
7. Type the following commands to restore the OS image and boot files:
- ```console
- dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
- bcdboot c:\windows
+ ```cmd
+ dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+ bcdboot.exe c:\windows
exit
```
8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
+
9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
+
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
```powershell
@@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
```
2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
+
3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
+
+4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account.
+
+ > [!NOTE]
+ > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
+
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
```powershell
@@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
The following output should be displayed:
- ```powershell
+ ```console
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
@@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
- ```console
- ipconfig
+ ```cmd
+ ipconfig.exe
Windows IP Configuration
@@ -909,8 +936,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
- ```powershell
- ping www.microsoft.com
+ ```cmd
+ ping.exe www.microsoft.com
```
If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
@@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
- ```powershell
- PS C:\> ping www.microsoft.com
+ ```cmd
+ ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
@@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
```powershell
- runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+ runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm"
Restart-Computer
```
@@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
Get-DhcpServerInDC
Get-DhcpServerv4Statistics
- ipconfig /all
+ ipconfig.exe /all
```
**Get-Service** displays a status of "Running" for all three services.
@@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
- ipconfig /all
- netsh int ipv4 show address
+ ipconfig.exe /all
+ netsh.exe int ipv4 show address
```
**Get-Service** displays a status of "Running" for both services.
@@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
- ```powershell
- whoami
- hostname
- nslookup www.microsoft.com
- ping -n 1 dc1.contoso.com
- tracert www.microsoft.com
+ ```cmd
+ whoami.exe
+ hostname.exe
+ nslookup.exe www.microsoft.com
+ ping.exe -n 1 dc1.contoso.com
+ tracert.exe www.microsoft.com
```
- **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+ **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
- **hostname** displays the name of the local computer, for example W7PC-001.
+ **hostname.exe** displays the name of the local computer, for example W7PC-001.
- **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+ **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
- **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
+ **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
- **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+ **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
## Appendix B: Terminology used in this guide
|Term|Definition|
|--- |--- |
-|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
-|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
-|Hyper-V host|The computer where Hyper-V is installed.|
-|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
-|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
-|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
-|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
-|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
-|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
-|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
+|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
+|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
+|**Hyper-V host**|The computer where Hyper-V is installed.|
+|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.|
+|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
+|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
+|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
+|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
+|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
+|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
## Next steps
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index e5ceaf1248..7bfe334519 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -9,13 +9,13 @@ ms.prod: windows-client
ms.collection:
- M365-modern-desktop
ms.topic: article
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.technology: itpro-deploy
---
# Switch to Windows 10 Pro or Enterprise from S mode
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
@@ -37,20 +37,26 @@ Many other transformations are possible depending on which version and edition o
| | Home | Not by any method | Not by any method | Not by any method |
Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+
> [!IMPORTANT]
> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
## Switch one device through the Microsoft Store
+
Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
Note these differences affecting switching modes in various releases of Windows 10:
- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-1. Sign into the Microsoft Store using your Microsoft account.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
+
+- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
+1. Sign into the Microsoft Store using your Microsoft account.
+
2. Search for "S mode".
+
3. In the offer, select **Buy**, **Get**, or **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
@@ -60,13 +66,14 @@ You'll be prompted to save your files before the switch starts. Follow the promp
Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
1. Start Microsoft Intune.
-2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+
+2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
+
3. Follow the instructions to complete the switch.
## Block users from switching
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
-To set this policy, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
## S mode management with CSPs
@@ -77,4 +84,4 @@ In addition to using Microsoft Intune or another modern device management tool t
[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
[Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
\ No newline at end of file
+[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 29d62e08fa..af9938ad6a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -13,7 +13,7 @@ ms.collection:
search.appverid:
- MET150
ms.topic: conceptual
-ms.date: 10/31/2022
+ms.date: 11/23/2022
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
-> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
@@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways:
> [!NOTE]
> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
-The device is Azure AD-joined from **Settings > Accounts > Access work or school**.
+The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
You assign Windows 10 Enterprise to a user:
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index f2fce638d0..f38cf33ebe 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -6,7 +6,7 @@ ms.author: frankroj
manager: aaroncz
ms.prod: windows-client
ms.localizationpriority: medium
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.topic: article
ms.technology: itpro-deploy
---
@@ -19,50 +19,50 @@ In previous releases of Windows, the Windows ADK docs were published on both Tec
Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
-### Create a Windows image using command-line tools
+## Create a Windows image using command-line tools
[DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
Here are some things you can do with DISM:
-- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
-- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
-- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
-- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
-- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
-- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
-- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
+- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
+- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
+- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
+- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
+- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
Here are some things you can do with Sysprep:
-- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
-- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
-- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
+- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
+- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
Here are ways you can create a WinPE image:
-- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
-- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
[Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
Here are some things you can do with Windows RE:
-- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
-- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
+- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
+- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
Here are some things you can do with Windows SIM:
-- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
-- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
-- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
-- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
+- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
+- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
+- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
+- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
@@ -72,12 +72,12 @@ Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/wi
Here are some things you can do with Windows ICD:
-- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
### IT Pro Windows deployment tools
There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
-- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
-- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
\ No newline at end of file
+- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index f2950818eb..5d31d988ca 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -50,6 +50,19 @@
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
+ - name: Windows quality update reports
+ href: operate/windows-autopatch-wqu-reports-overview.md
+ items:
+ - name: Summary dashboard
+ href: operate/windows-autopatch-wqu-summary-dashboard.md
+ - name: All devices report
+ href: operate/windows-autopatch-wqu-all-devices-report.md
+ - name: All devices report—historical
+ href: operate/windows-autopatch-wqu-all-devices-historical-report.md
+ - name: Eligible devices report—historical
+ href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md
+ - name: Ineligible devices report—historical
+ href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
- name: Windows feature updates
href: operate/windows-autopatch-fu-overview.md
items:
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png
new file mode 100644
index 0000000000..4a7cf97197
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png
new file mode 100644
index 0000000000..31350b563f
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png
new file mode 100644
index 0000000000..cb56852f3d
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png
new file mode 100644
index 0000000000..2aeacfd0d5
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png
new file mode 100644
index 0000000000..82cb1b1fcd
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md
new file mode 100644
index 0000000000..3808dd45a7
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md
@@ -0,0 +1,40 @@
+---
+title: All devices report—historical
+description: Provides a visual representation of the update status trend for all devices over the last 90 days.
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# All devices report—historical
+
+The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+**To view the historical All devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **All devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md
new file mode 100644
index 0000000000..5536a42c04
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md
@@ -0,0 +1,56 @@
+---
+title: All devices report
+description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# All devices report
+
+The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
+
+**To view the All devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **All devices report**.
+
+:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png":::
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
+
+## Report information
+
+The following information is available in the All devices report:
+
+| Column name | Description |
+| ----- | ----- |
+| Device name | The name of the device. |
+| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
+| Serial number | The current Intune recorded serial number for the device. |
+| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
+| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). |
+| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) |
+| OS version | The current version of Windows installed on the device. |
+| OS revision | The current revision of Windows installed on the device. |
+| Intune last check in time | The last time the device checked in to Intune. |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Search | Use to search by device name, Azure AD device ID or serial number |
+| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md
new file mode 100644
index 0000000000..4e4e383213
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md
@@ -0,0 +1,40 @@
+---
+title: Eligible devices report—historical
+description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Eligible devices report—historical
+
+The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
+
+**To view the historical Eligible devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **Eligible devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
new file mode 100644
index 0000000000..733ee98e88
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
@@ -0,0 +1,43 @@
+---
+title: Ineligible devices report—historical
+description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Ineligible devices report—historical
+
+The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
+
+> [!NOTE]
+> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month.
+
+**To view the historical Ineligible devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **Ineligible devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
new file mode 100644
index 0000000000..24dad31605
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
@@ -0,0 +1,110 @@
+---
+title: Windows quality update reports
+description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Windows quality update reports
+
+The Windows quality update reports provide you information about:
+
+- Quality update device eligibility
+- Device update health
+- Device update trends
+
+Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
+
+The report types are organized into the following focus areas:
+
+| Focus area | Description |
+| ----- | ----- |
+| Operational detail | - [Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.
- [All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.
|
+| Device trends | - [All devices report – historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.
- [Eligible devices report – historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.
- [Ineligible devices report – historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.
|
+
+## Who can access the reports?
+
+Users with the following permissions can access the reports:
+
+- Global Administrator
+- Intune Service Administrator
+- Administrators assigned to an Intune role with read permissions
+
+## About data latency
+
+The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
+
+## Windows quality update statuses
+
+The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:
+
+- [Healthy devices](#healthy-devices)
+- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action)
+- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action)
+
+Each status has its own set of sub statuses to further describe the status.
+
+### Healthy devices
+
+Healthy devices are devices that meet all of the following prerequisites:
+
+- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
+- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
+- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility)
+
+> [!NOTE]
+> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
+
+| Sub status | Description |
+| ----- | ----- |
+| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) |
+| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) |
+| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). |
+
+### Not Up to Date (Microsoft Action)
+
+Not Up to Date means a device isn’t up to date when the:
+
+- Quality update is more than a month out of date, or the device is on last month’s quality update
+- Device is more than 21 days overdue from the last release.
+
+> [!NOTE]
+> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective).
+
+| Sub status | Description |
+| ----- | ----- |
+| No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. |
+| Not Offered | The Windows Update service hasn’t offered the update to that device. |
+| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. |
+| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. |
+| Other | This device isn't up to date and isn’t reporting back data from the client. |
+
+### Ineligible Devices (Customer Action)
+
+Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status.
+
+Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses.
+
+| Sub status | Description |
+| ----- | ----- |
+| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. |
+| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
+| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
+| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
+| Not On Supported on Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Intune Sync Older Than 5 Days | Devices must have checked with Intune within the last five days. |
+
+## Data export
+
+Select **Export devices** to export data for each report type.
+
+> [!NOTE]
+> You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md
new file mode 100644
index 0000000000..735136be22
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md
@@ -0,0 +1,44 @@
+---
+title: Summary dashboard
+description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Summary dashboard
+
+The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+
+**To view the current update status for all your enrolled devices:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+
+:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
+
+## Report information
+
+The following information is available in the Summary dashboard:
+
+| Column name | Description |
+| ----- | ----- |
+| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). |
+| Devices | The number of devices showing as applicable for the state. |
+
+## Report options
+
+The following option is available:
+
+| Option | Description |
+| ----- | ----- |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index 01a4100390..854b107c86 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -14,9 +14,7 @@ msreviewer: hathind
# Fix issues found by the Readiness assessment tool
-Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
-
-If you need more assistance with tenant enrollment, you can submit a [tenant enrollment support request](#submit-a-support-request).
+Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
## Check results
@@ -72,27 +70,3 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
-
-## Submit a support request
-
-> [!IMPORTANT]
-> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
-
-If you need more assistance with tenant enrollment, you can submit support tickets to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
-
-**To submit a new support request:**
-
-1. If the Readiness assessment tool fails, remediation steps can be found by selecting **View details** under **Management settings** and then selecting the individual check. The **Contact Support** button will be available below remediation instructions in the fly-in-pane.
-2. Enter your question(s) and/or a description of the problem.
-3. Review all the information you provided for accuracy.
-4. When you're ready, select **Create**.
-
-### Manage an active support request
-
-The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If you have a question about the case, the best way to get in touch is to reply directly to one of the emails. If we have questions about your request or need more details, we'll email the primary contact listed in the support request.
-
-**To view all your active pre-enrollment support requests:**
-
-1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
-1. In the **Windows Autopatch** section, select **Tenant Enrollment**.
-1. Select the **Support history** tab. You can view the list of all support cases, or select an individual case to view the details.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index b2ac14cb00..f14ae95741 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -29,9 +29,6 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| ----- | ------ | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | - DeviceManagementApps.ReadWrite.All
- DeviceManagementConfiguration.ReadWrite.All
- DeviceManagementManagedDevices.PriviligedOperation.All
- DeviceManagementManagedDevices.ReadWrite.All
- DeviceManagementRBAC.ReadWrite.All
- DeviceManagementServiceConfig.ReadWrite.All
- Directory.Read.All
- Group.Create
- Policy.Read.All
- WindowsUpdates.Read.Write.All
|
-> [!NOTE]
-> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
-
### Service principal
Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
index edec9d080e..567e5d62a8 100644
--- a/windows/deployment/windows-autopilot/index.yml
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -6,12 +6,10 @@ summary: 'Note: Windows Autopilot documentation has moved! A few more resources
metadata:
title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
- services: windows-10
- ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
- ms.subservice: subservice
- ms.topic: landing-page # Required
+ ms.topic: landing-page
+ ms.prod: windows-client
+ ms.technology: itpro-deploy
ms.collection:
- - windows-10
- highpri
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index d939130747..b6ac225f0e 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -6,7 +6,7 @@ ms.author: frankroj
author: frankroj
ms.prod: windows-client
ms.topic: article
-ms.date: 10/31/2022
+ms.date: 11/23/2022
ms.technology: itpro-deploy
---
@@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for
DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
-``` syntax
+```cmd
Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
```
In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
-``` syntax
+```powershell
Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
-Source D:\Sources\SxS -LimitAccess
```
@@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a
USMT includes several command-line tools, the most important of which are ScanState and LoadState:
-- **ScanState.exe.** This tool performs the user-state backup.
-- **LoadState.exe.** This tool performs the user-state restore.
-- **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe.
+- **ScanState.exe**: This tool performs the user-state backup.
+- **LoadState.exe**: This tool performs the user-state restore.
+- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe.
In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
-- **Migration templates.** The default templates in USMT.
-- **Custom templates.** Custom templates that you create.
-- **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+- **Migration templates**: The default templates in USMT.
+- **Custom templates**: Custom templates that you create.
+- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
@@ -73,60 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest
By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
-- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
-- Specific file types.
-
- USMT templates migrate the following file types:
+- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
- - `.accdb`
- - `.ch3`
- - `.csv`
- - `.dif`
- - `.doc*`
- - `.dot*`
- - `.dqy`
- - `.iqy`
- - `.mcw`
- - `.mdb*`
- - `.mpp`
- - `.one*`
- - `.oqy`
- - `.or6`
- - `.pot*`
- - `.ppa`
- - `.pps*`
- - `.ppt*`
- - `.pre`
- - `.pst`
- - `.pub`
- - `.qdf`
- - `.qel`
- - `.qph`
- - `.qsd`
- - `.rqy`
- - `.rtf`
- - `.scd`
- - `.sh3`
- - `.slk`
- - `.txt`
- - `.vl*`
- - `.vsd`
- - `.wk*`
- - `.wpd`
- - `.wps`
- - `.wq1`
- - `.wri`
- - `.xl*`
- - `.xla`
- - `.xlb`
- - `.xls*`
-
+- The following specific file types:
+
+ `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
+
+ > [!NOTE]
+ > The asterisk (`*`) stands for zero or more characters.
> [!NOTE]
> The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
-- Operating system component settings
-- Application settings
+- Operating system component settings
+
+- Application settings
These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
@@ -160,7 +121,7 @@ The updated Volume Activation Management Tool.
VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
-``` syntax
+```powershell
Get-VamtProduct
```
@@ -178,7 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image.
For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro).
-## Windows Recovery Environment
+## Windows Recovery Environment
Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.
@@ -204,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan
Also, there are a few new features related to TFTP performance:
-- **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
-- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
-- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
+- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability.
+- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size.
@@ -214,7 +175,6 @@ TFTP changes are now easy to perform.
## Microsoft Deployment Toolkit
-
MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager.
@@ -242,16 +202,20 @@ MDOP is a suite of technologies available to Software Assurance customers throug
The following components are included in the MDOP suite:
-- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
+- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
-- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
-- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
-- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
-- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
+- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
+- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
+- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/).
+
+
## Windows Server Update Services
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
@@ -274,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview](
## Unified Extensible Firmware Interface
-
For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
### Introduction to UEFI
BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
-- 16-bit code
-- 1-MB address space
-- Poor performance on ROM initialization
-- MBR maximum bootable disk size of 2.2 TB
+- 16-bit code
+- 1-MB address space
+- Poor performance on ROM initialization
+- MBR maximum bootable disk size of 2.2 TB
As the replacement to BIOS, UEFI has many features that Windows can and will use.
With UEFI, you can benefit from:
-- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
-- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
-- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
-- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
-- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
-- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
-- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
-- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
+- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
+- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
+- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
+- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
+- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
+- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
+- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
-### Versions
+### UEFI versions
UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
@@ -307,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia
In regard to UEFI, hardware is divided into four device classes:
-- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
-- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
-- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
-- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
+- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
+- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
### Windows support for UEFI
@@ -322,14 +287,14 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support
There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
-- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
-- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
-- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
-- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
+- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
+- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources.
## Related articles
[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
\ No newline at end of file
+[Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index dc624bbd9f..aa9a8e5a92 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -8,12 +8,9 @@ brand: windows
metadata:
title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
- services: windows-10
- ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
- ms.subservice: subservice # Optional; Remove if no subservice is used.
- ms.topic: hub-page # Required
+ ms.topic: hub-page
+ ms.prod: windows-client
ms.collection:
- - windows-10
- highpri
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: dougeby #Required; microsoft alias of author; optional team alias.
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index c364767760..d93fc2caaf 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -136,25 +136,25 @@
- name: Troubleshoot BitLocker
items:
- name: Troubleshoot BitLocker
- href: information-protection/bitlocker/troubleshoot-bitlocker.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- name: "BitLocker cannot encrypt a drive: known issues"
- href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- name: "Enforcing BitLocker policies by using Intune: known issues"
- href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
+ href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- name: "BitLocker Network Unlock: known issues"
- href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- name: "BitLocker recovery: known issues"
- href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- name: "BitLocker configuration: known issues"
- href: information-protection/bitlocker/ts-bitlocker-config-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- name: Troubleshoot BitLocker and TPM issues
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
- href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- name: "BitLocker and TPM: other known issues"
- href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+ href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- name: Decode Measured Boot logs to track PCR changes
- href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+ href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index b923e0d70f..8484e3b795 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -65,13 +65,13 @@
},
"fileMetadata": {
"author":{
- "/identity-protection/hello-for-business/*.md": "paolomatarazzo"
+ "identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
},
"ms.author":{
- "/identity-protection/hello-for-business/*.md": "paoloma"
+ "identity-protection/hello-for-business/**/*.md": "paoloma"
},
"ms.reviewer":{
- "/identity-protection/hello-for-business/*.md": "erikdau"
+ "identity-protection/hello-for-business/**/*.md": "erikdau"
}
},
"template": [],
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 9217ed606d..33c5c76b9f 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,37 +1,23 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 03/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Multi-factor Unlock
-**Requirements:**
-* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
-* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
-* Windows 10, version 1709 or newer, or Windows 11
-* Bluetooth, Bluetooth capable phone - optional
+Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-
-Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
+Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim.
Which organizations can take advantage of Multi-factor unlock? Those who:
-* Have expressed that PINs alone do not meet their security needs.
-* Want to prevent Information Workers from sharing credentials.
-* Want their organizations to comply with regulatory two-factor authentication policy.
-* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
+
+- Have expressed that PINs alone do not meet their security needs
+- Want to prevent Information Workers from sharing credentials
+- Want their organizations to comply with regulatory two-factor authentication policy
+- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution
You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index d42b632977..721ddca258 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,25 +1,18 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 06/23/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Azure Active Directory join cloud only deployment
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)]
+
## Introduction
-When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
+When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed.
You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
@@ -71,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello
Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\\Device\Policies`**
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
+To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/organization?$select=id
+```
These registry settings are pushed from Intune for user policies:
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index edcdd4c52f..485f602211 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,22 +1,11 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Server 2016 or later
- - ✅ Hybrid or On-Premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 8f6de2d563..b7b06e3193 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,19 +1,10 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello and password changes
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index df42f82380..c9bc5a12f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,21 +1,10 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.prod: windows-client
-ms.collection:
- - M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 01/12/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Holographic for Business
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello biometrics in the enterprise
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 20352aa60a..3486c444df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,25 +1,15 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 01/14/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
-# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
+# Prepare and Deploy Active Directory Federation Services (AD FS)
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS). The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@@ -120,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
## Review & validate
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
- Confirm the AD FS farm uses the correct database configuration.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 760d69ed2e..bde42599c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,28 +1,21 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-ms.prod: windows-client
ms.collection:
- M365-identity-device-management
- highpri
-ms.topic: article
-localizationpriority: medium
ms.date: 08/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# Configure Windows Hello for Business Policy settings - Certificate Trust
-You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
+To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index c324b543eb..af56ffb943 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,25 +1,17 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# Validate Active Directory prerequisites for cert-trust deployment
-The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
> [!NOTE]
> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
@@ -30,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
To locate the schema master role holder, open and command prompt and type:
-```Netdom query fsmo | findstr -i “schema”```
+```cmd
+netdom.exe query fsmo | findstr.exe -i "schema"
+```
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 38589541ad..28d010fbd8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,24 +1,16 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# Validate and Deploy Multi-Factor Authentication feature
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 15298bba55..4b692280e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,29 +1,21 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# Validate and Configure Public Key Infrastructure - Certificate Trust Model
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
## Deploy an enterprise certificate authority
-This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services.
### Lab-based public key infrastructure
@@ -34,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
>[!NOTE]
>Never install a certificate authority on a domain controller in a production environment.
-1. Open an elevated Windows PowerShell prompt.
-2. Use the following command to install the Active Directory Certificate Services role.
+1. Open an elevated Windows PowerShell prompt
+2. Use the following command to install the Active Directory Certificate Services role
```PowerShell
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
```
-3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.
+3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
```PowerShell
Install-AdcsCertificationAuthority
```
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 0c3dce349f..115a1041e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,24 +1,16 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-ms.prod: windows-client
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployments
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+- ✅ Windows Server 2016 and later
+ms.topic: article
---
# On Premises Certificate Trust Deployment
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index e760eecda3..64b6af4819 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,25 +1,13 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
- - M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 02/15/2022
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Deployment Overview
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index b64a57e89f..8c8fd3b65d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,17 +1,10 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-params: siblings_only
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 05/03/2021
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Known Deployment Issues
@@ -19,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym
## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
-Applies to:
-
-- Azure AD joined deployments
-- Windows 10, version 1803 and later
-- Windows 11
-
PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 770fc668c9..6dfcd9f952 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,30 +1,21 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
description: A guide to on premises, key trust Windows Hello for Business deployment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# On Premises Key Trust Deployment
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
+3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 282264de1e..af71e186d2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,19 +1,13 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: erikdau
-ms.collection:
- - M365-identity-device-management
+ms.collection:
- ContentEngagementFY23
-ms.topic: how-to
+ms.topic: article
localizationpriority: medium
ms.date: 11/15/2022
-appliesto:
- - ✅ Windows 10 and later
+appliesto:
+- ✅ Windows 10 and later
ms.technology: itpro-security
---
@@ -61,7 +55,7 @@ Follow these steps to create a certificate template:
| *Compatibility* | - Clear the **Show resulting changes** check box
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*
- Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*
|
| *General* | - Specify a **Template display name**, for example *WHfB Certificate Authentication*
- Set the validity period to the desired value
- Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)
|
| *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
- | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
|
+ | *Subject Name* | - Select the **Build from this Active Directory** information button if it isn't already selected
- Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected
- Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
|*Request Handling*|- Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose
- Select the **Renew with same key** check box
- Select **Prompt the user during enrollment**
|
|*Cryptography*|- Set the Provider Category to **Key Storage Provider**
- Set the Algorithm name to **RSA**
- Set the minimum key size to **2048**
- Select **Requests must use one of the following providers**
- Select **Microsoft Software Key Storage Provider**
- Set the Request hash to **SHA256**
|
|*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
@@ -139,14 +133,14 @@ This section describes how to configure a SCEP policy in Intune. Similar steps c
| --- | --- |
|*Certificate Type*| User |
|*Subject name format* | `CN={{UserPrincipalName}}` |
- |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `CN={{UserPrincipalName}}`
+ |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}`
|*Certificate validity period* | Configure a value of your choosing|
|*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
|*Key usage*| **Digital Signature**|
|*Key size (bits)* | **2048**|
|*For Hash algorithm*|**SHA-2**|
|*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
- |*Extended key usage*| - *Name:* **Smart Card Logon**
- *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
- *Predefined Values:* **Smart Card Logon**
- *Name:* **Client Authentication**
- *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
- *Predefined Values:* **Client Authentication**
|
+ |*Extended key usage*| - *Name:* **Smart Card Logon**
- *Object Identifier:* `1.3.6.1.4.1.311.20.2.2`
- *Predefined Values:* **Not configured**
- *Name:* **Client Authentication**
- *Object Identifier:* `1.3.6.1.5.5.7.3.2 `
- *Predefined Values:* **Client Authentication**
|
|*Renewal threshold (%)*|Configure a value of your choosing|
|*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
@@ -198,4 +192,4 @@ After obtaining a certificate, users can RDP to any Windows devices in the same
[MEM-5]: /mem/intune/protect/certificates-trusted-root
[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
-[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
\ No newline at end of file
+[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 28bab60966..e1b28aec6f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,20 +1,10 @@
---
title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
- - M365-identity-device-management
ms.topic: troubleshooting
-ms.localizationpriority: medium
ms.date: 05/05/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
---
# Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index 32ec0a5204..484985c43d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,19 +1,10 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
ms.date: 07/27/2017
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Event ID 300 - Windows Hello successfully created
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 919393f45a..f4456c7110 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -18,9 +18,8 @@ metadata:
ms.topic: faq
localizationpriority: medium
ms.date: 11/11/2022
- appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
+ appliesto:
+ - ✅ Windows 10 and later
title: Windows Hello for Business Frequently Asked Questions (FAQ)
summary: |
@@ -211,7 +210,7 @@ sections:
- question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
answer: |
- No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
+ No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
- question: Does Windows Hello for Business prevent the use of simple PINs?
answer: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 8ac9d29d9f..a96e6d66b5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,16 +1,10 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 09/09/2019
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Conditional access
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 24c66f9452..adfbe58657 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,16 +1,10 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 09/09/2019
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Dual Enrollment
@@ -19,7 +13,6 @@ ms.technology: itpro-security
* Hybrid and On-premises Windows Hello for Business deployments
* Enterprise joined or Hybrid Azure joined devices
-* Windows 10, version 1709 or later
* Certificate trust
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index bb878fcd09..6bae92fc12 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,19 +1,10 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 07/12/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Dynamic lock
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index b50e72d0ef..313ef05f54 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,21 +1,13 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
-ms.topic: article
-localizationpriority: medium
ms.date: 07/29/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# PIN reset
@@ -31,11 +23,6 @@ There are two forms of PIN reset:
There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
-**Requirements**
-
-- Reset from settings - Windows 10, version 1703 or later, Windows 11
-- Reset above Lock - Windows 10, version 1709 or later, Windows 11
-
Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
@@ -185,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
- Value: **True**
>[!NOTE]
-> You must replace `TenantId` with the identifier of your Azure Active Directory tenant.
+> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/organization?$select=id
+```
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 31cdaa7534..2281821bdc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,24 +1,15 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 02/24/2021
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Remote Desktop
**Requirements**
-
-- Windows 10
-- Windows 11
- Hybrid and On-premises Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index d3817c3e30..27dde9400e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 02/15/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business and Authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index ab75ccda70..6d250848d5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 2/15/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 719c27216d..ad5eec8634 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -1,19 +1,10 @@
---
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 10/08/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Technology and terms
@@ -158,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
## Federated environment
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
### Related to federated environment
@@ -194,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
## Hybrid deployment
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
### Related to hybrid deployment
@@ -269,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
## Pass-through authentication
-Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to pass-through authentication
@@ -283,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a
## Password hash sync
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to password hash sync
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 03559c9e2e..9f3670151c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -1,18 +1,10 @@
---
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 05/05/2018
-appliesto:
- - ✅ Windows 10 and later
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# How Windows Hello for Business works in Windows Devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index ce22c81e4f..a53b5977d6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,25 +1,15 @@
---
title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
- - M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 01/14/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Azure Active Directory-join
- - ✅ Hybrid Deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
+
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
+
## Prerequisites
Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 441651ecdb..1b222da4f8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,26 +1,16 @@
---
-title: Using Certificates for AADJ On-premises Single-sign On single sign-on
+title: Use Certificates to enable SSO for Azure AD join devices
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Azure AD-join
- - ✅ Hybrid Deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Using Certificates for AADJ On-premises Single-sign On
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)]
+
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 8d2c2d3eb7..1acc6aa213 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,22 +1,15 @@
---
title: Azure AD Join Single Sign-on Deployment
description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Azure AD Join Single Sign-on Deployment
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
+
Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
## Key vs. Certificate
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index d68fe373c4..234f257566 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 912929f030..997dbea6e9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
+
Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
> [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index f3bd6859f8..56e0d50918 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Prerequisites
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index fbf527bf4b..caf8cfe867 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,39 +1,30 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 09/08/2017
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Certificate Trust Deployment
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
-This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
+This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline
-The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
+The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
## Federated Baseline
-The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
+The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment. This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 191ad50880..fa4284edd5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,24 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 82c2369b6c..748cc46a44 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
### Creating Security Groups
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 55a8c1fe51..83988357c9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,24 +1,15 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 9340b2698b..5002843385 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,25 +1,16 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
## Directory Synchronization
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 0c6e6e4808..98725d74b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,25 +1,16 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 9665843315..ad8ff6984f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
## Policy Configuration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index 68da777df7..360f679614 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,24 +1,15 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Certificate trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
> [!IMPORTANT]
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index d9cd8d2065..d8063e6127 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,29 +1,14 @@
---
title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 11/1/2022
-appliesto:
- - ✅ Windows 10, version 21H2 and later
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10, version 21H2 and later
+ms.topic: article
---
# Hybrid cloud Kerberos trust deployment
-This document describes Windows Hello for Business functionalities or scenarios that apply to:\
-✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
-✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md)\
-✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
-
-
-
----
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)]
Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 98e359fe83..32f0d91fc6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,24 +1,15 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
- [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 60421b9698..e6d1d3275c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,24 +1,15 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 05/04/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 883e949f0a..18df532ca9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,24 +1,15 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index a91f625b7b..17e3fe7e61 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,24 +1,16 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
+Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
@@ -33,7 +25,7 @@ The distributed systems on which these technologies were built involved several
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
-A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
+A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
@@ -113,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
-Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
+Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index addf5f5a20..9ab687ded9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,33 +1,24 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/20/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Key Trust Deployment
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
-This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
+This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD. These two scenarios provide a baseline from which you can begin your deployment.
## New Deployment Baseline ##
-The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
+The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 85b0134eed..b5c704fb93 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,23 +1,15 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
+
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index eefcf80dae..cb30af909d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,24 +1,14 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
-appliesto:
-- ✅ Windows 10
-- ✅ Windows 11
-- ✅ Hybrid deployment
-- ✅ Key trust
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 4a6cacda34..f19aab257d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,27 +1,18 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
## Directory Synchronization
-In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
+In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
### Group Memberships for the Azure AD Connect Service Account
>[!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 7d80a9ac21..a824e822fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 04/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 6d891a5b53..333f505d95 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,24 +1,15 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
+
## Policy Configuration
You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 48fe302c63..5e24b6de2c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,26 +1,17 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 4/30/2021
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Hybrid deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Hybrid Azure AD joined Windows Hello for Business key trust settings
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business.
-
+
> [!IMPORTANT]
> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 1b10ff4e76..37b6335a50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,18 +1,13 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
-ms.topic: article
-localizationpriority: medium
ms.date: 2/15/2022
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Deployment Prerequisite Overview
@@ -21,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment
## Azure AD Cloud Only Deployment
-* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
* Azure Active Directory
* Azure AD Multifactor Authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index b9d46ebca9..4a8dc18965 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,24 +1,15 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 090e46cd72..c618365d4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,28 +1,18 @@
---
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Configure Windows Hello for Business Policy settings - Key Trust
-You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
-Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
+To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index a7cf2a4367..57080612a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,25 +1,16 @@
---
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Validate Active Directory prerequisites - Key Trust
-Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
+Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 42ee5bdd01..046acb3df3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,24 +1,15 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Validate and Deploy Multifactor Authentication (MFA)
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
> [!IMPORTANT]
> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 5a4c114b16..c3a9226714 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,24 +1,15 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ On-premises deployment
- - ✅ Key trust
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Validate and Configure Public Key Infrastructure - Key Trust
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
## Deploy an enterprise certificate authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index ef4ec913e4..2d83fca7b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,31 +1,21 @@
---
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
-ms.topic: article
-ms.localizationpriority: medium
ms.date: 2/15/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Manage Windows Hello for Business in your organization
-You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
>[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
->
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
@@ -144,9 +134,10 @@ All PIN complexity policies are grouped separately from feature enablement and a
>- LowercaseLetters - 1
>- SpecialCharacters - 1
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index eb85e9ca3b..87ec948d71 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,25 +1,16 @@
---
title: Windows Hello for Business Overview (Windows)
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
ms.collection:
- M365-identity-device-management
- highpri
ms.topic: conceptual
-localizationpriority: medium
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
- - ✅ Windows Holographic for Business
-ms.technology: itpro-security
+- ✅ Windows 10 and later
---
# Windows Hello for Business Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
>[!NOTE]
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 36ba184666..c3c5912b26 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,20 +1,10 @@
---
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
- - M365-identity-device-management
-ms.topic: article
-localizationpriority: conceptual
ms.date: 09/16/2020
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Planning a Windows Hello for Business Deployment
@@ -189,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2
Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
-One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
+One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 78291dadbd..69e4a380e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,19 +1,10 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 08/19/2018
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Prepare people to use Windows Hello
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 3a99c148bd..bf6f5a4ea0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,19 +1,10 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 07/26/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Windows Hello for Business Videos
## Overview of Windows Hello for Business and Features
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 68cc9b2ecd..f2ba4fd368 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,26 +1,18 @@
---
title: Why a PIN is better than an online password (Windows)
-description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
+description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
ms.collection:
- M365-identity-device-management
- highpri
-ms.topic: article
-ms.localizationpriority: medium
ms.date: 10/23/2017
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# Why a PIN is better than an online password
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
+Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index a446e2b52f..6d5ad8dea5 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,16 +1,10 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 11/14/2018
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# What is a Microsoft-compatible security key?
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 5c2b1147af..a18a0b3aeb 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,24 +1,15 @@
---
title: Password-less strategy
description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
ms.topic: conceptual
-localizationpriority: medium
ms.date: 05/24/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
---
# Password-less strategy
-This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
+This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy.
## Four steps to password freedom
@@ -309,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users
:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
-When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because:
+When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
- They don't know their password.
- Their password is 128 random bits of data and is likely to include non-typable characters.
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index bf8a6a57bf..366a317f73 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,16 +1,10 @@
---
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 11/14/2018
-ms.technology: itpro-security
+appliesto:
+- ✅ Windows 10 and later
+ms.topic: article
---
# How to reset a Microsoft-compatible security key?
> [!Warning]
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 4653d23331..5aa1fcad6a 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -1,17 +1,11 @@
---
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
-ms.prod: windows-client
-ms.localizationpriority: high
-author: paolomatarazzo
-ms.author: paoloma
ms.date: 10/16/2017
-manager: aaroncz
-ms.topic: article
appliesto:
- ✅ Windows 10
- ✅ Windows 11
-ms.technology: itpro-security
+ms.topic: article
---
# How Windows Hello for Business works in Windows devices
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c22050ab0..502a196109 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -1,13 +1,11 @@
- name: Windows Hello for Business documentation
href: index.yml
-- name: Overview
- items:
- - name: Windows Hello for Business Overview
- href: hello-overview.md
- name: Concepts
expanded: true
items:
- - name: Passwordless Strategy
+ - name: Windows Hello for Business overview
+ href: hello-overview.md
+ - name: Passwordless strategy
href: passwordless-strategy.md
- name: Why a PIN is better than a password
href: hello-why-pin-is-better-than-password.md
@@ -15,129 +13,160 @@
href: hello-biometrics-in-enterprise.md
- name: How Windows Hello for Business works
href: hello-how-it-works.md
- - name: Technical Deep Dive
- items:
- - name: Provisioning
- href: hello-how-it-works-provisioning.md
- - name: Authentication
- href: hello-how-it-works-authentication.md
- - name: WebAuthn APIs
- href: webauthn-apis.md
-- name: How-to Guides
+- name: Deployment guides
items:
- - name: Windows Hello for Business Deployment Overview
+ - name: Windows Hello for Business deployment overview
href: hello-deployment-guide.md
- - name: Planning a Windows Hello for Business Deployment
+ - name: Planning a Windows Hello for Business deployment
href: hello-planning-guide.md
- - name: Deployment Prerequisite Overview
+ - name: Deployment prerequisite overview
href: hello-identity-verification.md
- - name: Prepare people to use Windows Hello
- href: hello-prepare-people-to-use.md
- - name: Deployment Guides
+ - name: Cloud-only deployment
+ href: hello-aad-join-cloud-only-deploy.md
+ - name: Hybrid deployments
items:
- - name: Hybrid Cloud Kerberos Trust Deployment
+ - name: Cloud Kerberos trust deployment
href: hello-hybrid-cloud-kerberos-trust.md
- - name: Hybrid Azure AD Joined Key Trust
+ - name: Key trust deployment
items:
- - name: Hybrid Azure AD Joined Key Trust Deployment
+ - name: Overview
href: hello-hybrid-key-trust.md
- name: Prerequisites
href: hello-hybrid-key-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-key-new-install.md
- - name: Configure Directory Synchronization
+ - name: Configure directory synchronization
href: hello-hybrid-key-trust-dirsync.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-key-trust-devreg.md
- name: Configure Windows Hello for Business settings
- href: hello-hybrid-key-whfb-settings.md
- - name: Sign-in and Provisioning
+ items:
+ - name: Overview
+ href: hello-hybrid-key-whfb-settings.md
+ - name: Configure Active Directory
+ href: hello-hybrid-key-whfb-settings-ad.md
+ - name: Configure Azure AD Connect Sync
+ href: hello-hybrid-key-whfb-settings-dir-sync.md
+ - name: Configure PKI
+ href: hello-hybrid-key-whfb-settings-pki.md
+ - name: Configure Group Policy settings
+ href: hello-hybrid-key-whfb-settings-policy.md
+ - name: Sign-in and provision Windows Hello for Business
href: hello-hybrid-key-whfb-provision.md
- - name: Hybrid Azure AD Joined Certificate Trust
+ - name: On-premises SSO for Azure AD joined devices
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for on-premises SSO
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Certificate trust deployment
items:
- - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ - name: Overview
href: hello-hybrid-cert-trust.md
- name: Prerequisites
href: hello-hybrid-cert-trust-prereqs.md
- - name: New Installation Baseline
+ - name: New installation baseline
href: hello-hybrid-cert-new-install.md
- - name: Configure Azure Device Registration
+ - name: Configure Azure AD device registration
href: hello-hybrid-cert-trust-devreg.md
- name: Configure Windows Hello for Business settings
- href: hello-hybrid-cert-whfb-settings.md
- - name: Sign-in and Provisioning
+ items:
+ - name: Overview
+ href: hello-hybrid-cert-whfb-settings.md
+ - name: Configure Active Directory
+ href: hello-hybrid-cert-whfb-settings-ad.md
+ - name: Configure Azure AD Connect Sync
+ href: hello-hybrid-cert-whfb-settings-dir-sync.md
+ - name: Configure PKI
+ href: hello-hybrid-cert-whfb-settings-pki.md
+ - name: Configure AD FS
+ href: hello-hybrid-cert-whfb-settings-adfs.md
+ - name: Configure Group Policy settings
+ href: hello-hybrid-cert-whfb-settings-policy.md
+ - name: Sign-in and provision Windows Hello for Business
href: hello-hybrid-cert-whfb-provision.md
- - name: On-premises SSO for Azure AD Joined Devices
- items:
- - name: On-premises SSO for Azure AD Joined Devices Deployment
+ - name: On-premises SSO for Azure AD joined devices
href: hello-hybrid-aadj-sso.md
- - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ - name: Configure Azure AD joined devices for on-premises SSO
href: hello-hybrid-aadj-sso-base.md
- - name: Using Certificates for AADJ On-premises Single-sign On
+ - name: Using certificates for on-premises SSO
href: hello-hybrid-aadj-sso-cert.md
- - name: On-premises Key Trust
+ - name: Planning for Domain Controller load
+ href: hello-adequate-domain-controllers.md
+ - name: On-premises deployments
+ items:
+ - name: Key trust deployment
items:
- - name: On-premises Key Trust Deployment
+ - name: Overview
href: hello-deployment-key-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-key-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-key-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and deploy Active Directory Federation Services (AD FS)
href: hello-key-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-key-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-key-trust-policy-settings.md
- - name: On-premises Certificate Trust
+ - name: Certificate trust deployment
items:
- - name: On-premises Certificate Trust Deployment
+ - name: Overview
href: hello-deployment-cert-trust.md
- - name: Validate Active Directory Prerequisites
+ - name: Validate Active Directory prerequisites
href: hello-cert-trust-validate-ad-prereq.md
- - name: Validate and Configure Public Key Infrastructure
+ - name: Validate and configure Public Key Infrastructure (PKI)
href: hello-cert-trust-validate-pki.md
- - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ - name: Prepare and Deploy Active Directory Federation Services (AD FS)
href: hello-cert-trust-adfs.md
- - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ - name: Validate and deploy multi-factor authentication (MFA) services
href: hello-cert-trust-validate-deploy-mfa.md
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- - name: Azure AD join cloud only deployment
- href: hello-aad-join-cloud-only-deploy.md
- - name: Managing Windows Hello for Business in your organization
- href: hello-manage-in-organization.md
- - name: Deploying Certificates to Key Trust Users to Enable RDP
- href: hello-deployment-rdp-certs.md
- - name: Windows Hello for Business Features
- items:
- - name: Conditional Access
- href: hello-feature-conditional-access.md
- - name: PIN Reset
- href: hello-feature-pin-reset.md
- - name: Dual Enrollment
- href: hello-feature-dual-enrollment.md
- - name: Dynamic Lock
- href: hello-feature-dynamic-lock.md
- - name: Multi-factor Unlock
- href: feature-multifactor-unlock.md
- - name: Remote Desktop
- href: hello-feature-remote-desktop.md
- - name: Troubleshooting
- items:
- - name: Known Deployment Issues
- href: hello-deployment-issues.md
- - name: Errors During PIN Creation
- href: hello-errors-during-pin-creation.md
- - name: Event ID 300 - Windows Hello successfully created
- href: hello-event-300.md
- - name: Windows Hello and password changes
- href: hello-and-password-changes.md
+ - name: Planning for Domain Controller load
+ href: hello-adequate-domain-controllers.md
+ - name: Deploy certificates for remote desktop (RDP) sign-in
+ href: hello-deployment-rdp-certs.md
+- name: How-to Guides
+ items:
+ - name: Prepare people to use Windows Hello
+ href: hello-prepare-people-to-use.md
+ - name: Manage Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+- name: Windows Hello for Business features
+ items:
+ - name: Conditional access
+ href: hello-feature-conditional-access.md
+ - name: PIN Reset
+ href: hello-feature-pin-reset.md
+ - name: Dual Enrollment
+ href: hello-feature-dual-enrollment.md
+ - name: Dynamic Lock
+ href: hello-feature-dynamic-lock.md
+ - name: Multi-factor Unlock
+ href: feature-multifactor-unlock.md
+ - name: Remote desktop (RDP) sign-in
+ href: hello-feature-remote-desktop.md
+- name: Troubleshooting
+ items:
+ - name: Known deployment issues
+ href: hello-deployment-issues.md
+ - name: Errors during PIN creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
- name: Reference
items:
- - name: Technology and Terminology
+ - name: How Windows Hello for Business provisioning works
+ href: hello-how-it-works-provisioning.md
+ - name: How Windows Hello for Business authentication works
+ href: hello-how-it-works-authentication.md
+ - name: WebAuthn APIs
+ href: webauthn-apis.md
+ - name: Technology and terminology
href: hello-how-it-works-technology.md
- name: Frequently Asked Questions (FAQ)
href: hello-faq.yml
- name: Windows Hello for Business videos
href: hello-videos.md
+
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index afac158d28..534fddf6ee 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,19 +1,10 @@
---
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
ms.date: 09/15/2022
appliesto:
- - ✅ Windows 10
- - ✅ Windows 11
-ms.technology: itpro-security
+- ✅ Windows 10 and later
+ms.topic: article
---
# WebAuthn APIs for passwordless authentication on Windows
diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md
new file mode 100644
index 0000000000..c40ed1027c
--- /dev/null
+++ b/windows/security/includes/hello-cloud.md
@@ -0,0 +1,7 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md
new file mode 100644
index 0000000000..e80912d8b9
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md
new file mode 100644
index 0000000000..4ef97bd233
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md
new file mode 100644
index 0000000000..77a897f264
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
new file mode 100644
index 0000000000..4f68be791b
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md
new file mode 100644
index 0000000000..68521a5a14
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-key-trust-ad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md
new file mode 100644
index 0000000000..fdb7466014
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-key-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+
+
+---
diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
new file mode 100644
index 0000000000..a8d82200d3
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
@@ -0,0 +1,7 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+
+
+---
diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md
new file mode 100644
index 0000000000..2cc01ac3ac
--- /dev/null
+++ b/windows/security/includes/hello-on-premises-cert-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** Active Directory domain join
+
+
+
+---
diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md
new file mode 100644
index 0000000000..cd6241fa72
--- /dev/null
+++ b/windows/security/includes/hello-on-premises-key-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** Active Directory domain join
+
+
+
+---
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index 715efe3b61..df826bda53 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker and Active Directory Domain Services (AD DS) FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index e277229e21..a2047fc5a1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker basic deployment
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 58f5c7fe83..7a8377aceb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker Countermeasures
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index 114aaf78b1..39701f8123 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -4,7 +4,8 @@ metadata:
description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +20,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ)
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 9e7aba3ca0..d3643ab0fe 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -15,7 +15,7 @@ ms.technology: itpro-security
# BitLocker deployment comparison
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 5b4d79dcc1..82fb89a4d8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# Overview of BitLocker Device Encryption in Windows
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 6e5641e175..46ab64d09d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -4,7 +4,8 @@ metadata:
description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -21,7 +22,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker frequently asked questions (FAQ) resources
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 58f19b4708..a082bdcca9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker group policy settings
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 6e918604ba..bdf2e0b538 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -16,7 +16,7 @@ ms.technology: itpro-security
# BitLocker: How to deploy on Windows Server 2012 and later
-*Applies to:*
+**Applies to:**
- Windows Server 2012
- Windows Server 2012 R2
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 37481aac1c..dd8cc3e8c7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker: How to enable Network Unlock
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
index 4ab3545f1c..b7aa1ae889 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: BitLocker Key Management FAQ (Windows 10)
description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Key Management FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
index a9ce4e3c24..7129c50889 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -2,7 +2,8 @@
metadata:
title: BitLocker Network Unlock FAQ (Windows 10)
description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -18,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Network Unlock FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 523a647b0c..c8bea939c1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: BitLocker overview and requirements FAQ (Windows 10)
description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -21,7 +21,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Overview and Requirements FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 8d97d00a81..de852a1f48 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# BitLocker
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
@@ -97,6 +97,6 @@ When installing the BitLocker optional component on a server, the Enhanced Stora
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
-| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
+| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 752d1dd02c..efdcd705e7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -18,7 +18,7 @@ ms.custom: bitlocker
# BitLocker recovery guide
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
index 6a6cdc9974..04035cd1cb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: BitLocker Security FAQ (Windows 10)
description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Security FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
index a1532c98f9..1ab54f3689 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -3,9 +3,9 @@ metadata:
title: BitLocker To Go FAQ (Windows 10)
description: "Learn more about BitLocker To Go"
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.author: frankroj
- ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker To Go FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
index f0557ad08a..2ab78a0734 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -2,7 +2,8 @@
metadata:
title: BitLocker Upgrading FAQ (Windows 10)
description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -18,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: BitLocker Upgrading FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c88e87b23c..573fcb0e51 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 3101c1d0bd..4fedd8f3d5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -18,7 +18,7 @@ ms.technology: itpro-security
# BitLocker: Use BitLocker Recovery Password Viewer
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index 8d97492f5a..64f9160f29 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -3,8 +3,8 @@ metadata:
title: Using BitLocker with other programs FAQ (Windows 10)
description: Learn how to integrate BitLocker with other software on a device.
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
- ms.reviewer:
- ms.prod: m365-security
+ ms.prod: windows-client
+ ms.technology: itpro-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -19,7 +19,7 @@ metadata:
ms.custom: bitlocker
title: Using BitLocker with other programs FAQ
summary: |
- *Applies to:*
+ **Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index a76b56a2d3..56026fd192 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -17,7 +17,7 @@ ms.technology: itpro-security
# Prepare an organization for BitLocker: Planning and policies
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 11
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index ad33dd9dfd..edf5fd84f3 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -16,7 +16,7 @@ ms.technology: itpro-security
# Protecting cluster shared volumes and storage area networks with BitLocker
-*Applies to:*
+**Applies to:**
- Windows Server 2016 and above
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
deleted file mode 100644
index 3a2eab807c..0000000000
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Guidelines for troubleshooting BitLocker
-description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# Guidelines for troubleshooting BitLocker
-
-This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes the troubleshooting process much easier.
-
-## Review the event logs
-
-Open **Event Viewer** and review the following logs under **Applications and Services Logs** > **Microsoft** > **Windows**:
-
-- **BitLocker-API**. Review the **Management** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
-
- - **Microsoft-Windows-BitLocker-API/Management**
- - **Microsoft-Windows-BitLocker-API/Operational**
- - **Microsoft-Windows-BitLocker-API/Tracing** - only displayed when **Show Analytic and Debug Logs** is enabled
-
-- **BitLocker-DrivePreparationTool**. Review the **Admin** log, the **Operational** log, and any other logs that are generated in this folder. The default logs have the following unique names:
-
- - **Microsoft-Windows-BitLocker-DrivePreparationTool/Admin**
- - **Microsoft-Windows-BitLocker-DrivePreparationTool/Operational**
-
-Additionally, review the **Windows Logs** > **System** log for events that were produced by the TPM and TPM-WMI event sources.
-
-To filter and display or export logs, the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) PowerShell cmdlet can be used.
-
-For example, to use `wevtutil.exe` to export the contents of the operational log from the BitLocker-API folder to a text file that is named `BitLockerAPIOpsLog.txt`, open a Command Prompt window, and run the following command:
-
-```cmd
-wevtutil.exe qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
-```
-
-To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows PowerShell window and run the following command:
-
-```powershell
-Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational" | Export-Csv -Path Bitlocker-Operational.csv
-```
-
-The Get-WinEvent can be used in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
-
-- To display BitLocker-related information:
-
- ```powershell
- Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
- ```
-
- The output of such a command resembles the following.
-
- 
-
-- To export BitLocker-related information:
-
- ```powershell
- Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
- ```
-
-- To display TPM-related information:
-
- ```powershell
- Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
- ```
-
-- To export TPM-related information:
-
- ```powershell
- Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
- ```
-
- The output of such a command resembles the following.
-
- 
-
-> [!NOTE]
-> When contacting Microsoft Support, it is recommended to export the logs listed in this section.
-
-## Gather status information from the BitLocker technologies
-
-Open an elevated Windows PowerShell window, and run each of the following commands:
-
-|Command |Notes | More Info |
-| --- | --- | --- |
-|**`Get-Tpm > C:\TPM.txt`** |PowerShell cmdlet that exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet isn't supported in Windows 7. | [Get-Tpm](/powershell/module/trustedplatformmodule/get-tpm)|
-|**`manage-bde.exe -status > C:\BDEStatus.txt`** |Exports information about the general encryption status of all drives on the computer. | [manage-bde.exe status](/windows-server/administration/windows-commands/manage-bde-status) |
-|**`manage-bde.exe c: -protectors -get > C:\Protectors`** |Exports information about the protection methods that are used for the BitLocker encryption key. | [manage-bde.exe protectors](/windows-server/administration/windows-commands/manage-bde-protectors)|
-|**`reagentc.exe /info > C:\reagent.txt`** |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. | [reagentc.exe](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |
-|**`Get-BitLockerVolume \| fl`** |PowerShell cmdlet that gets information about volumes that BitLocker Drive Encryption can protect. | [Get-BitLockerVolume](/powershell/module/bitlocker/get-bitlockervolume) |
-
-## Review the configuration information
-
-1. Open an elevated Command Prompt window, and run the following commands:
-
- |Command |Notes | More Info |
- | --- | --- | --- |
- |**`gpresult.exe /h `** |Exports the Resultant Set of Policy information, and saves the information as an HTML file. | [gpresult.exe](/windows-server/administration/windows-commands/gpresult) |
- |**`msinfo.exe /report /computer `** |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |[msinfo.exe](/windows-server/administration/windows-commands/msinfo32) |
-
-2. Open Registry Editor, and export the entries in the following subkeys:
-
- - **`HKLM\SOFTWARE\Policies\Microsoft\FVE`**
- - **`HKLM\SYSTEM\CurrentControlSet\Services\TPM\`**
-
-## Check the BitLocker prerequisites
-
-Common settings that can cause issues for BitLocker include the following scenarios:
-
-- The TPM must be unlocked. Check the output of the **`get-tpm`** PowerShell cmdlet command for the status of the TPM.
-
-- Windows RE must be enabled. Check the output of the **`reagentc.exe`** command for the status of WindowsRE.
-
-- The system-reserved partition must use the correct format.
-
- - On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
- - On legacy computers, the system-reserved partition must be formatted as NTFS.
-
-- If the device being troubleshot is a slate or tablet PC, use to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
-
-For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
-
-## Next steps
-
-If the information examined so far indicates a specific issue (for example, WindowsRE isn't enabled), the issue may have a straightforward fix.
-
-Resolving issues that don't have obvious causes depends on exactly which components are involved and what behavior is being see. The gathered information helps narrow down the areas to investigate.
-
-- If the device being troubleshot is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
-
-- If BitLocker doesn't start or can't encrypt a drive and errors or events that are related to the TPM are occurring, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
-
-- If BitLocker doesn't start or can't encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
-
-- If BitLocker Network Unlock doesn't behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
-
-- If BitLocker doesn't behave as expected when an encrypted drive is recovered, or if BitLocker unexpectedly recovered a drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
-
-- If BitLocker or the encrypted drive doesn't behave as expected, and errors or events that are related to the TPM are occurring, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
-
-- If BitLocker or the encrypted drive doesn't behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
-
-It's recommended to keep the gathered information handy in case Microsoft Support is contacted for help with resolving the issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
deleted file mode 100644
index 21e5e1fe33..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: BitLocker cannot encrypt a drive known issues
-description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# BitLocker cannot encrypt a drive: known issues
-
-This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
-
-> [!NOTE]
-> If it is determined that the BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
-
-## **Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive**
-
-When BitLocker Drive Encryption is turned on a computer that is running Windows 10 Professional or Windows 11, the following message may appear:
-
-> **ERROR: An error occurred (code 0x80310059): BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing. NOTE: If the -on switch has failed to add key protectors or start encryption, you may need to call manage-bde -off before attempting -on again.**
-
-### Cause of **Error 0x80310059**
-
-This issue may be caused by settings that are controlled by group policy objects (GPOs).
-
-### Resolution for **Error 0x80310059**
-
-> [!IMPORTANT]
-> Follow the steps in this section carefully. Serious problems might occur if the registry is modified incorrectly. Before modifying the registry, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
-
-To resolve this issue, follow these steps:
-
-1. Start Registry Editor, and navigate to the following subkey:
-
- **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`**
-
-2. Delete the following entries:
-
- - **`OSPlatformValidation_BIOS`**
- - **`OSPlatformValidation_UEFI`**
- - **`PlatformValidation`**
-
-3. Exit registry editor, and turn on BitLocker drive encryption again.
-
-
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
deleted file mode 100644
index 78b5691523..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: BitLocker cannot encrypt a drive known TPM issues
-description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive that can be attributed to the TPM
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# BitLocker cannot encrypt a drive: known TPM issues
-
-This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
-
-> [!NOTE]
-> If it's been determined that the BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
-
-## The TPM is locked and the error **`The TPM is defending against dictionary attacks and is in a time-out period`** is displayed
-
-It's attempted to turn on BitLocker drive encryption on a device but it fails with an error message similar to the following error message:
-
-> **The TPM is defending against dictionary attacks and is in a time-out period.**
-
-### Cause of the TPM being locked
-
-The TPM is locked out.
-
-### Resolution for the TPM being locked
-
-To resolve this issue, the TPM needs to be reset and cleared. The TPM can be reset and cleared with the following steps:
-
-1. Open an elevated PowerShell window and run the following script:
-
- ```powershell
- $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
- $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
- if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
- ```
-
-2. Restart the computer. If a prompt is displayed confirming the clearing of the TPM, agree to clear the TPM.
-
-3. Sign on to Windows and retry starting BitLocker drive encryption.
-
-> [!WARNING]
-> Resetting and clearing the TPM can cause data loss.
-
-## The TPM fails to prepare with the error **`The TPM is defending against dictionary attacks and is in a time-out period`**
-
-It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
-
-> **The TPM is defending against dictionary attacks and is in a time-out period.**
-
-### Cause of TPM failing to prepare
-
-The TPM is locked out.
-
-### Resolution for TPM failing to prepare
-
-To resolve this issue, disable and re-enable the TPM with the following steps:
-
-1. Enter the UEFI/BIOS configuration screens of the device by restarting the device and hitting the appropriate key combination as the device boots. Consult with the device manufacturer for the appropriate key combination for entering into the UEFI/BIOS configuration screens.
-
-2. Once in the UEFI/BIOS configuration screens, disable the TPM. Consult with the device manufacturer for instructions on how to disable the TPM in the UEFI/BIOS configuration screens.
-
-3. Save the UEFI/BIOS configuration with the TPM disabled and restart the device to boot into Windows.
-
-4. Once signed into Windows, return to the TPM management console. An error message similar to the following error message is displayed:
-
- > **Compatible TPM cannot be found**
- >
- > **Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.**
-
- This message is expected since the TPM is currently disabled in the UEFI firmware/BIOS of the device.
-
-5. Restart the device and enter the UEFI/BIOS configuration screens again.
-
-6. Reenable the TPM in the UEFI/BIOS configuration screens.
-
-7. Save the UEFI/BIOS configuration with the TPM enabled and restart the device to boot into Windows.
-
-8. Once signed into Windows, return to the TPM management console.
-
-If the TPM still can't be prepared, clear the existing TPM keys by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
-> [!WARNING]
-> Clearing the TPM can cause data loss.
-
-## BitLocker fails to enable with the error **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**
-
-The **Do not enable BitLocker until recovery information is stored in AD DS** policy is enforced in the environment. It's attempted to turn on BitLocker drive encryption on a device but it fails with the error message of **`Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005`** or **`Insufficient Rights`**.
-
-### Cause of **`Access Denied`** or **`Insufficient Rights`**
-
-The TPM didn't have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information couldn't be backed up to AD DS, and BitLocker drive encryption couldn't turn on.
-
-This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
-
-### Resolution for **`Access Denied`** or **`Insufficient Rights`**
-
-To verify this issue is occurring, use one of the following two methods:
-
-- Disable the policy or remove the computer from the domain followed by trying to turn on BitLocker drive encryption again. If the operation succeeds, then the issue was caused by the policy.
-
-- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the **Access Denied** or **Insufficient Rights** error. In this case, an error should be displayed when the client tries to access its object in the **`CN=TPM Devices,DC=,DC=com`** container.
-
-1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
-
- ```powershell
- Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
- ```
-
- In this command, *ComputerName* is the name of the affected computer.
-
-2. To resolve the issue, use a tool such as `dsacls.exe` to ensure that the access control list of msTPM-TPMInformationForComputer grants both **Read** and **Write** permissions to **NTAUTHORITY/SELF**.
-
-## The TPM fails to be prepared with the error **`0x80072030: There is no such object on the server`**
-
-Domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) exists that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.
-
-It's attempted to turn on BitLocker drive encryption on a device but it fails. While troubleshooting, the TPM management console (`tpm.msc`) is used to attempt to prepare the TPM on the device. The operation fails with an error message similar to the following error message:
-
-> **0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled**
-
-It's been confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
-
-### Cause of **0x80072030: There is no such object on the server**
-
-The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
-
-### Resolution for **0x80072030: There is no such object on the server**
-
-The issue can be resolved with the following steps:
-
-1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
-
-2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
-
-3. In the script, modify the value of **strPathToDomain** to the organization's domain name.
-
-4. Open an elevated PowerShell window, and run the following command:
-
- ```cmd
- cscript.exe \Add-TPMSelfWriteACE.vbs
- ```
-
- In this command, \<*Path*> is the path to the script file.
-
-For more information, see the following articles:
-
-- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
-- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
deleted file mode 100644
index bac3ad9030..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: BitLocker configuration known issues
-description: Describes common issues that involve BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# BitLocker configuration: known issues
-
-This article describes common issues that affect BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
-
-## BitLocker encryption is slower in Windows 10 and Windows 11
-
-BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources than in previous versions of Windows. This behavior reduces the chance that BitLocker will affect the computer's performance.
-
-To compensate for these changes, BitLocker uses a conversion model called Encrypt-On-Write. This model makes sure that any new disk writes are encrypted as soon as BitLocker is enabled. This behavior happens on all client editions and for any internal drives.
-
-> [!IMPORTANT]
-> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
-
-### Benefits of using the new conversion model
-
-By using the previous conversion model, an internal drive can't be considered protected and compliant with data protection standards until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began - that is, potentially compromised data - can still be read and written without encryption. Therefore, for data to be considered protected and compliant with data protection standards, the encryption process has to finish before sensitive data is stored on the drive. Depending on the size of the drive, this delay can be substantial.
-
-By using the new conversion model, sensitive data can be stored on the drive as soon as BitLocker is turned on. The encryption process doesn't need to finish first, and encryption doesn't adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
-
-### Other BitLocker enhancements
-
-Several other areas of BitLocker were improved in versions of Windows released after Windows 7:
-
-- **New encryption algorithm, XTS-AES** - Added in Windows 10 version 1511, this algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
-
- By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
-
-- **Improved administration features**. BitLocker can be managed on PCs or other devices by using the following interfaces:
-
- - BitLocker Wizard
- - manage-bde.exe
- - Group Policy Objects (GPOs)
- - Mobile Device Management (MDM) policy
- - Windows PowerShell
- - Windows Management Interface (WMI)
-
-- **Integration with Azure Active Directory** (Azure AD) - BitLocker can store recovery information in Azure AD to make it easier to recover.
-
-- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)** - By using MDM policies to manage BitLocker, a device's DMA ports can be blocked which secures the device during its startup.
-
-- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)** - If the BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, its operating system volume can be automatically unlocked during a system restart.
-
-- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)** - Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
-
-- **Support for classes of HDD/SSD hybrid disks** - BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
-
-## Hyper-V Gen 2 VM: Can't access the volume after BitLocker encryption
-
-Consider the following scenario:
-
-1. BitLocker is turned on a generation 2 virtual machine (VM) that runs on Hyper-V.
-
-2. Data is added to the data disk as it encrypts.
-
-3. The VM is restarted and the following behavior is observed:
-
- - The system volume isn't encrypted.
-
- - The encrypted volume isn't accessible, and the computer lists the volume's file system as **Unknown**.
-
- - A message similar to the following message is displayed:
-
- > **You need to format the disk in \<*drive_letter:*> drive before you can use it**
-
-### Cause of not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
-
-This issue occurs because the third-party filter driver `Stcvsm.sys` (from StorageCraft) is installed on the VM.
-
-### Resolution for not being able to access the volume after BitLocker encryption on a Hyper-V Gen 2 VM
-
-To resolve this issue, remove the third-party software.
-
-## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
-
-Consider the following scenario:
-
-A Windows Server 2019 or 2016 Hyper-V Server is hosting VMs (guests) that are configured as Windows domain controllers. On a domain controller guest VM, BitLocker has encrypted the disks that store the Active Directory database and log files. When a "production snapshot" of the domain controller guest VM is attempted, the Volume Snap-Shot (VSS) service doesn't correctly process the backup.
-
-This issue occurs regardless of any of the following variations in the environment:
-
-- How the domain controller volumes are unlocked.
-- Whether the VMs are generation 1 or generation 2.
-- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
-
-In the guest VM domain controller **Windows Logs** > **Application** Event Viewer log, the VSS event source records event **ID 8229**:
-
-> ID: 8229
-> Level: Warning
-> Source: VSS
-> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.
->
-> Changes that the writer made to the writer components while handling the event will not be available to the requester.
->
-> Check the event log for related events from the application hosting the VSS writer.
->
-> Operation:
-> PostSnapshot Event
->
-> Context:
-> Execution Context: Writer
-> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
-> Writer Name: NTDS
-> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
-> Command Line: C:\\Windows\\system32\\lsass.exe
->
-> Process ID: 680
-
-In the guest VM domain controller **Applications and Services Logs** > **Directory Service** Event Viewer log, there's an event logged similar to the following event:
-
-> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168
-> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
->
-> Additional Data
-> Error value (decimal): -1022
->
-> Error value (hex): fffffc02
->
-> Internal ID: 160207d9
-
-> [!NOTE]
-> The internal ID of this event may differ based on the operating system release version and patch level.
-
-When this issue occurs, the **Active Directory Domain Services (NTDS) VSS Writer** will display the following error when the **`vssadmin.exe list writers`** command is run:
-
-```Error
-Writer name: 'NTDS'
- Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}
- Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}
- State: [11] Failed
- Last error: Non-retryable error
-```
-
-Additionally, the VMs can't be backed up until they're restarted.
-
-### Cause of production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
-
-After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. When a "production snapshot" is initiated from the host server, Hyper-V tries to mount the snapshotted volume. However, it can't unlock the volume for unencrypted access. BitLocker on the Hyper-V server doesn't recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
-
-This behavior is by design.
-
-### Workaround for production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
-
-A supported way to perform backup and restore of a virtualized domain controller is to run **Windows Server Backup** in the guest operating system.
-
-If a production snapshot of a virtualized domain controller needs to be taken, BitLocker can be suspended in the guest operating system before the production snapshot is started. However, this approach isn't recommended.
-
-For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
-
-### More information
-
-When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry similar to the following error:
-
-```console
-\# for hex 0xc0210000 / decimal -1071579136
-STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
-\# This volume is locked by BitLocker Drive Encryption.
-```
-
-The operation produces the following call stack:
-
-```console
-\# Child-SP RetAddr Call Site
- 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
- 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
- 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
- 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
- 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
- 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
- 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
- 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
- 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
- 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
- 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
- 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
-```
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
deleted file mode 100644
index 9a5952f7e5..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ /dev/null
@@ -1,120 +0,0 @@
----
-title: Decode Measured Boot logs to track PCR changes
-description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# Decode Measured Boot logs to track PCR changes
-
-Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
-
-By tracking changes in the PCRs, and identifying when they changed, insight can be gained into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the `C:\Windows\Logs\MeasuredBoot\` folder.
-
-This article describes tools that can be used to decode these logs: `TBSLogGenerator.exe` and `PCPTool.exe`.
-
-For more information about Measured Boot and PCRs, see the following articles:
-
-- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation)
-- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-
-## Use `TBSLogGenerator.exe` to decode Measured Boot logs
-
-Use `TBSLogGenerator.exe` to decode Measured Boot logs that were collected from Windows. `TBSLogGenerator.exe` can be installed on the following systems:
-
-- A computer that is running Windows Server 2016 or newer and that has a TPM enabled
-- A Gen 2 virtual machine running on Hyper-V that is running Windows Server 2016 or newer and is using a virtual TPM.
-
-To install the tool, follow these steps:
-
-1. Download the Windows Hardware Lab Kit from [Windows Hardware Lab Kit](/windows-hardware/test/hlk/).
-
-2. After downloading, run the installation file from the path where the install was downloaded to.
-
-3. Accept the default installation path.
-
- 
-
-4. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
-
- 
-
-5. Finish the installation.
-
-To use `TBSLogGenerator.exe`, follow these steps:
-
-1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
-
- **`C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb`**
-
- This folder contains the `TBSLogGenerator.exe` file.
-
- 
-
-1. Run the following command:
-
- ```cmd
- TBSLogGenerator.exe -LF \.log > \.txt
- ```
-
- where the variables represent the following values:
-
- - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- - \<*LogFileName*> = the name of the file to be decoded
- - \<*DestinationFolderName*> = the name of the folder for the decoded text file
- - \<*DecodedFileName*> = the name of the decoded text file
-
- For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the **`C:\MeasuredBoot\`** folder. The figure also shows a Command Prompt window and the command to decode the **`0000000005-0000000000.log`** file:
-
- ```cmd
- TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
- ```
-
- 
-
- The command produces a text file that uses the specified name. In this example, the file is **`0000000005-0000000000.txt`**. The file is located in the same folder as the original `.log` file.
-
- 
-
- The content of this text file is similar to the following text:
-
- 
-
- To find the PCR information, go to the end of the file.
-
- 
-
-## Use `PCPTool.exe` to decode Measured Boot logs
-
-> [!NOTE]
-> `PCPTool.exe` is a Visual Studio solution, but executable needs to be built before tool can be used.
-
-`PCPTool.exe` is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
-
-To download and install `PCPTool.exe`, go to the Toolkit page, select **Download**, and follow the instructions.
-
-To decode a log, run the following command:
-
-```cmd
-PCPTool.exe decodelog \.log > \.xml
-```
-
-where the variables represent the following values:
-
-- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
-- \<*LogFileName*> = the name of the file to be decoded
-- \<*DestinationFolderName*> = the name of the folder for the decoded text file
-- \<*DecodedFileName*> = the name of the decoded text file
-
-The content of the XML file will be similar to the following XML:
-
-:::image type="content" alt-text="Command Prompt window that shows an example of how to use `PCPTool.exe`." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
deleted file mode 100644
index dd44a1446d..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ /dev/null
@@ -1,366 +0,0 @@
----
-title: Enforcing BitLocker policies by using Intune known issues
-description: Provides assistance for issues that may be seen if Microsoft Intune policy is being used to manage silent BitLocker encryption on devices.
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
- - Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# Enforcing BitLocker policies by using Intune: known issues
-
-This article helps troubleshooting issues that may be experienced if using Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
-
-:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
-
-To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the **Management** and **Operations** logs in the **Applications and Services logs** > **Microsoft** > **Windows** > **BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
-
-- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#event-id-853-error-a-compatible-trusted-platform-module-tpm-security-device-cannot-be-found-on-this-computer)
-- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#event-id-853-error-bitlocker-drive-encryption-detected-bootable-media-cd-or-dvd-in-the-computer)
-- [Event ID 854: WinRE is not configured](#event-id-854-winre-is-not-configured)
-- [Event ID 851: Contact manufacturer for BIOS upgrade](#event-id-851-contact-the-manufacturer-for-bios-upgrade-instructions)
-- [Error message: The UEFI variable 'SecureBoot' could not be read](#error-message-the-uefi-variable-secureboot-could-not-be-read)
-- [Event ID 846, 778, and 851: Error 0x80072f9a](#event-id-846-778-and-851-error-0x80072f9a)
-- [Error message: There are conflicting group policy settings for recovery options on operating system drives](#error-message-there-are-conflicting-group-policy-settings-for-recovery-options-on-operating-system-drives)
-
-If there's no clear trail of events or error messages to follow, other areas to investigate include the following areas:
-
-- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
-- [Review BitLocker policy configuration](#review-bitlocker-policy-configuration)
-
-For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
-
-## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
-
-Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device doesn't appear to have a TPM. The event information will be similar to the following event:
-
-
-
-### Cause of Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
-
-The device that is being secured may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
-
-### Resolution for Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
-
-To resolve this issue, verify the following configurations:
-
-- The TPM is enabled in the device BIOS.
-- The TPM status in the TPM management console is similar to the following statuses:
- - Ready (TPM 2.0)
- - Initialized (TPM 1.2)
-
-For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md).
-
-## Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
-
-In this case, event ID 853 is displayed, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
-
-
-
-### Cause of Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
-
-During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if the media is removed), BitLocker recovery mode automatically starts.
-
-To avoid this situation, the provisioning process stops if it detects a removable bootable media.
-
-### Resolution for Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
-
-Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
-
-## Event ID 854: WinRE is not configured
-
-The event information resembles the following error message:
-
-> Failed to enable Silent Encryption. WinRe is not configured.
->
-> Error: This PC cannot support device encryption because WinRE is not properly configured.
-
-### Cause of Event ID 854: WinRE is not configured
-
-Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device can't start the regular Windows operating system, the device tries to start WinRE.
-
-The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
-
-If WinRE isn't available on the device, provisioning stops.
-
-### Resolution for Event ID 854: WinRE is not configured
-
-This issue can be resolved by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration by following these steps:
-
-#### Step 1: Verify the configuration of the disk partitions
-
-The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the **`Winre.wim`** file. The partition configuration resembles the following.
-
-
-
-To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
-
-```cmd
-diskpart.exe
-list volume
-```
-
-
-
-If the status of any of the volumes isn't healthy or if the recovery partition is missing, Windows may need to be reinstalled. Before reinstalling Windows, check the configuration of the Windows image that is being provisioned. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Configuration Manager):
-
-
-
-#### Step 2: Verify the status of WinRE
-
-To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
-
-```cmd
-reagentc.exe /info
-```
-
-The output of this command resembles the following.
-
-
-
-If the **Windows RE status** isn't **Enabled**, run the following command to enable it:
-
-```cmd
-reagentc.exe /enable
-```
-
-#### Step 3: Verify the Windows Boot Loader configuration
-
-If the partition status is healthy, but the **`reagentc.exe /enable`** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID by running the following command in an elevated Command Prompt window:
-
-```cmd
-bcdedit.exe /enum all
-```
-
-The output of this command will be similar to the following output:
-
-:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
-
-In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
-
-## Event ID 851: Contact the manufacturer for BIOS upgrade instructions
-
-The event information will be similar to the following error message:
-
-> Failed to enable Silent Encryption.
->
-> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
-
-### Cause of Event ID 851: Contact the manufacturer for BIOS upgrade instructions
-
-The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption doesn't support legacy BIOS.
-
-### Resolution for Event ID 851: Contact the manufacturer for BIOS upgrade instructions
-
-To verify the BIOS mode, use the System Information application by following these steps:
-
-1. Select **Start**, and enter **msinfo32** in the **Search** box.
-
-2. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
-
- 
-
-3. If the **BIOS Mode** setting is **Legacy**, the UEFI firmware needs to be switched to **UEFI** or **EFI** mode. The steps for switching to **UEFI** or **EFI** mode are specific to the device.
-
- > [!NOTE]
- > If the device supports only Legacy mode, Intune can't be used to manage BitLocker Device Encryption on the device.
-
-## Error message: The UEFI variable 'SecureBoot' could not be read
-
-An error message similar to the following error message is displayed:
-
-> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
-
-### Cause of Error message: The UEFI variable 'SecureBoot' could not be read
-
-A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
-
-### Resolution for Error message: The UEFI variable 'SecureBoot' could not be read
-
-This issue can be resolved by verifying the PCR validation profile of the TPM and the secure boot state by following these steps:
-
-#### Step 1: Verify the PCR validation profile of the TPM
-
-To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
-
-```cmd
-Manage-bde.exe -protectors -get %systemdrive%
-```
-
-In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
-
-
-
-If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot isn't turned on.
-
-
-
-#### 2: Verify the secure boot state
-
-To verify the secure boot state, use the System Information application by following these steps:
-
-1. Select **Start**, and enter **msinfo32** in the **Search** box.
-
-2. Verify that the **Secure Boot State** setting is **On**, as follows:
-
- 
-
-3. If the **Secure Boot State** setting is **Unsupported**, Silent BitLocker Encryption can't be used on the device.
-
- 
-
-> [!NOTE]
-> The [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) PowerShell cmdlet can also be used to verify the Secure Boot state by opening an elevated PowerShell window and running the following command:
->
-> ```powershell
-> Confirm-SecureBootUEFI
-> ```
->
-> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."
->
-> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."
->
-> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."
-
-## Event ID 846, 778, and 851: Error 0x80072f9a
-
-Consider the following scenario:
-
-Intune policy is being deployed to encrypt a Windows 10, version 1809 device, and the recovery password is being stored in Azure Active Directory (Azure AD). As part of the policy configuration, the **Allow standard users to enable encryption during Azure AD Join** option has been selected.
-
-The policy deployment fails and the failure generates the following events in Event Viewer in the **Applications and Services Logs** > **Microsoft** > **Windows** > **BitLocker API** folder:
-
-> Event ID:846
->
-> Event:
-> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
->
-> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
-> Error: Unknown HResult Error code: 0x80072f9a
-
-> Event ID:778
->
-> Event: The BitLocker volume C: was reverted to an unprotected state.
-
-> Event ID: 851
->
-> Event:
-> Failed to enable Silent Encryption.
->
-> Error: Unknown HResult Error code: 0x80072f9a.
-
-These events refer to Error code 0x80072f9a.
-
-### Cause of Event ID 846, 778, and 851: Error 0x80072f9a
-
-These events indicate that the signed-in user doesn't have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
-
-The issue affects Windows 10 version 1809.
-
-### Resolution for Event ID 846, 778, and 851: Error 0x80072f9a
-
-To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
-
-## Error message: There are conflicting group policy settings for recovery options on operating system drives
-
-An error message similar to the following error message is displayed:
-
-> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
-
-### Resolution for Error message: There are conflicting group policy settings for recovery options on operating system drives
-
-To resolve this issue, review the group policy object (GPO) settings for conflicts. For more information, see the next section, [Review BitLocker policy configuration](#review-bitlocker-policy-configuration).
-
-For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
-
-## Review BitLocker policy configuration
-
-For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
-
-- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
-- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
-- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
-- [Policy CSP – BitLocker](/windows/client-management/mdm/policy-csp-bitlocker)
-- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
-- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
-- [gpresult](/windows-server/administration/windows-commands/gpresult)
-
-Intune offers the following enforcement types for BitLocker:
-
-- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later.)
-- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later.)
-- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803.)
-
-If the device runs Windows 10 version 1703 or later, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy isn't required to enforce device encryption.
-
-If the device is HSTI-compliant but doesn't support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption. The settings for this policy should be similar to the following settings:
-
-
-
-The OMA-URI references for these settings are as follows:
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**
- Value Type: **Integer**
- Value: **1** (1 = Require, 0 = Not Configured)
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**
- Value Type: **Integer**
- Value: **0** (0 = Blocked, 1 = Allowed)
-
-> [!NOTE]
-> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, an endpoint protection policy can be used to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
-
-> [!NOTE]
-> If the **Warning for other disk encryption** setting is set to **Not configured**, the BitLocker drive encryption wizard has to be manually started.
-
-If the device doesn't support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. When the user selects the notification, it will start the BitLocker Drive Encryption wizard.
-
-Intune provides settings that can be used to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
-
-- Be HSTI-compliant
-- Support Modern Standby
-- Use Windows 10 version 1803 or later
-
-
-
-The OMA-URI references for these settings are as follows:
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**
- Value Type: **Integer**
- Value: **1**
-
-> [!NOTE]
-> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when the following settings are set:
->
-> - **RequireDeviceEncryption** to **1**
-> - **AllowStandardUserEncryption** to **1**
-> - **AllowWarningForOtherDiskEncryption** to **0**
->
-> Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
-
-## Verifying that BitLocker is operating correctly
-
-During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
-
-
-
-
-
-It can also be determined whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
-
-
-
-On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
-
-- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\BitLocker`**
-- **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device`**
-
-
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
deleted file mode 100644
index 530b0f37e4..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: BitLocker Network Unlock known issues
-description: Describes several known issues that may be encountered while using Network Unlock, and provided guidance for addressing those issues.
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.reviewer: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.custom: bitlocker
-ms.date: 11/08/2022
----
-
-# BitLocker Network Unlock: known issues
-
-By using the BitLocker Network Unlock feature, computers can be managed remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, the environment needs to meet the following requirements:
-
-- Each computer belongs to a domain.
-- Each computer has a wired connection to the internal network.
-- The internal network uses DHCP to manage IP addresses.
-- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
-
-For general guidelines about how to troubleshoot BitLocker Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
-
-This article describes several known issues that may be encountered when BitLocker Network Unlock is used and provides guidance to address these issues.
-
-> [!TIP]
-> BitLocker Network Unlock can be detected if it is enabled on a specific computer use the following steps on UEFI computers:
->
-> 1. Open an elevated command prompt window and run the following command:
->
-> ```cmd
-> manage-bde.exe -protectors -get
-> ```
->
-> For example:
->
-> ```cmd
-> manage-bde.exe -protectors -get C:
-> ```
->
-> If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock.
->
-> 2. Start Registry Editor, and verify the following settings:
->
-> 1. The following registry key exists and has the following value:
->
-> - **Subkey**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE`
-> - **Type**: `REG_DWORD`
-> - **Value**: `OSManageNKP` equal to `1` (True)
->
-> 2. The registry key:
->
-> `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates`
->
-> has an entry whose name matches the name of the certificate thumbprint of the BitLocker Network Unlock key protector that was found in step 1.
-
-## On a Surface Pro 4 device, BitLocker Network Unlock doesn't work because the UEFI network stack is incorrectly configured
-
-Consider the following scenario:
-
-BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). UEFI of a Surface Pro 4 has been configured to use DHCP. However, when the Surface Pro 4 is restarted, it still prompts for a BitLocker PIN.
-
-When testing another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure, the device restarts as expected, without prompting for the BitLocker PIN. This test confirms that the infrastructure is correctly configured, and the issue is specific to the device.
-
-### Cause of BitLocker Network Unlock not working on Surface Pro 4
-
-The UEFI network stack on the device is incorrectly configured.
-
-### Resolution for BitLocker Network Unlock not working on Surface Pro 4
-
-To correctly configure the UEFI network stack of the Surface Pro 4, the Microsoft Surface Enterprise Management Mode (SEMM) needs to be used. For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
-
-> [!NOTE]
-> If SEMM can't be used, the Surface Pro 4 may be able to use BitLocker Network Unlock by configuring the Surface Pro 4 to use the network as its first boot option.
-
-## Unable to use BitLocker Network Unlock feature on a Windows client computer
-
-Consider the following scenario:
-
-BitLocker Network Unlock has been configured as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). A Windows 8 client computer is connected to the internal network with an ethernet cable. However, when the device is restarted, the device still prompts for the BitLocker PIN.
-
-### Cause of unable to use BitLocker Network Unlock feature on a Windows client computer
-
-A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the BitLocker Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
-
-DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
-
-The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
-
-- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
-- The third message that the BitLocker Network Unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
-
-A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages. After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
-
-If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
-
-For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
-
-### Resolution for unable to use BitLocker Network Unlock feature on a Windows client computer
-
-To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
deleted file mode 100644
index 5292df2a16..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ /dev/null
@@ -1,369 +0,0 @@
----
-title: BitLocker recovery known issues
-description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
- - Windows Security Technologies\BitLocker
- - highpri
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# BitLocker recovery: known issues
-
-This article describes common issues that may prevent BitLocker from behaving as expected when a drive is recovered, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
-
-> [!NOTE]
-> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
-
-## Windows prompts for a non-existing BitLocker recovery password
-
-Windows prompts for a BitLocker recovery password. However, a BitLocker recovery password wasn't configured.
-
-### Resolution for Windows prompts for a non-existing BitLocker recovery password
-
-The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
-
-- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
-
-- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
-
-## The recovery password for a laptop wasn't backed up, and the laptop is locked
-
-Consider the following scenario:
-
-The hard disk of a Windows 11 or Windows 10 laptop has to be recovered. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password wasn't backed up, and the usual user of the laptop isn't available to provide the password.
-
-### Resolution for the recovery password for a laptop wasn't backed up
-
-You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
-
-- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider).
-
-- In an elevated Command Prompt window, use the [manage-bde.exe](/windows-server/administration/windows-commands/manage-bde) command to back up the information.
-
- For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
-
- ```cmd
- manage-bde.exe -protectors -adbackup C:
- ```
-
-> [!NOTE]
-> BitLocker does not automatically manage this backup process.
-
-## Tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
-
-Consider the following scenario:
-
-BitLocker recovery needs to be tested on a tablet or slate device by running the following command:
-
-```cmd
-manage-bde.exe -forcerecovery
-```
-
-However, after entering the recovery password, the device can't start.
-
-### Cause of tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
-
-> [!IMPORTANT]
-> Tablet devices do not support the **`manage-bde.exe -forcerecovery`** command.
-
-This issue occurs because the Windows Boot Manager can't process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
-
-If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **`manage-bde.exe -forcerecovery`** command deletes the TPM protectors on the hard disk. Therefore, WinRE can't reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
-
-This behavior is by design for all versions of Windows.
-
-### Workaround for tablet devices don't support using `manage-bde.exe -forcerecovery` to test recovery mode
-
-To resolve the restart loop, follow these steps:
-
-1. On the BitLocker Recovery screen, select **Skip this drive**.
-
-2. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
-
-3. In the Command Prompt window, run the following commands:
-
- ```cmd
- manage-bde.exe -unlock C: -rp <48-digit BitLocker recovery password>
- manage-bde.exe -protectors -disable C:
-
- ```
-
-4. Close the Command Prompt window.
-
-5. Shut down the device.
-
-6. Start the device. Windows should start as usual.
-
-## After installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
-
-Consider the following scenario:
-
-A Surface device has BitLocker drive encryption turned on. The firmware of the Surface's TPM is updated or an update that changes the signature of the system firmware is installed. For example, the Surface TPM (IFX) update is installed.
-
-You experience one or more of the following symptoms on the Surface device:
-
-- At startup, the Surface device prompts for a BitLocker recovery password. The correct recovery password is entered, but Windows doesn't start up.
-
-- Startup progresses directly into the Surface device's Unified Extensible Firmware Interface (UEFI) settings.
-
-- The Surface device appears to be in an infinite restart loop.
-
-### Cause of after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
-
-This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
-
-- Secure boot is turned off.
-- PCR values have been explicitly defined, such as by group policy.
-
-Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see the [About the Platform Configuration Register (PCR)](bitlocker-group-policy-settings.md#about-the-platform-configuration-register-pcr) section of the [BitLocker Group Policy Settings](bitlocker-group-policy-settings.md) article.
-
-### Resolution for after installing UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
-
-To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
-
-```cmd
-manage-bde.exe -protectors -get :
-```
-
-In this command, *\* represents the drive letter of the operating system drive.
-
-To resolve this issue and repair the device, follow these steps:
-
-#### Step 1: Disable the TPM protectors on the boot drive
-
-If a TPM or UEFI update has been installed and the Surface device can't start, even if the correct BitLocker recovery password has been entered, the ability to start can be restored by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
-
-To use the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive, follow these steps:
-
-1. Obtain the BitLocker recovery password from the Surface user's [Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), Configuration Manager BitLocker Management, or Intune, contact the administrator for help.
-
-2. Use another computer to download the Surface recovery image from [Surface Recovery Image Download](https://support.microsoft.com/surface-recovery-image). Use the downloaded image to create a USB recovery drive.
-
-3. Insert the USB Surface recovery image drive into the Surface device, and start the device.
-
-4. When prompted, select the following items:
-
- 1. The operating system language.
-
- 2. The keyboard layout.
-
-5. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
-
-6. In the Command Prompt window, run the following commands:
-
- ```cmd
- manage-bde.exe -unlock -recoverypassword :
- manage-bde.exe -protectors -disable :
-
- ```
-
- where:
-
- - *\* is the BitLocker recovery password that was obtained in Step 1
- - *\* is the drive letter that is assigned to the operating system drive
-
- > [!NOTE]
- > For more information about how to use this command, see [manage-bde unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
-
-7. Restart the computer.
-
-8. When prompted, enter the BitLocker recovery password that was obtained in Step 1.
-
-> [!NOTE]
-> After the TPM protectors are disabled, BitLocker drive encryption no longer protects the device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press **Enter**. Follow the steps to encrypt the drive.
-
-#### Step 2: Use Surface BMR to recover data and reset the Surface device
-
-To recover data from the Surface device if Windows doesn't start, follow steps 1 through 5 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive) to get to a Command Prompt window. Once a Command Prompt window is open, follow these steps:
-
-1. At the command prompt, run the following command:
-
- ```cmd
- manage-bde.exe -unlock -recoverypassword :
- ```
-
- In this command, *\* is the BitLocker recovery password that was obtained in Step 1 of the section [Step 1: Disable the TPM protectors on the boot drive](#step-1-disable-the-tpm-protectors-on-the-boot-drive), and \<*DriveLetter*> is the drive letter that is assigned to the operating system drive.
-
-2. After the drive is unlocked, use the **`copy`** or **`xcopy.exe`** command to copy the user data to another drive.
-
- > [!NOTE]
- > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands) article.
-
-3. To reset the device by using a Surface recovery image, follow the instructions in the article [Creating and using a USB recovery drive for Surface](https://support.microsoft.com/surface/creating-and-using-a-usb-recovery-drive-for-surface-677852e2-ed34-45cb-40ef-398fc7d62c07).
-
-#### Step 3: Restore the default PCR values
-
-To prevent this issue from recurring, it's recommended to restore the default configuration of Secure Boot and the PCR values.
-
-To enable Secure Boot on a Surface device, follow these steps:
-
-1. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
-
- ```powershell
- Suspend-BitLocker -MountPoint ":" -RebootCount 0
- ```
-
- In this command, *\* is the letter that is assigned to the drive.
-
-2. Restart the device, and then edit the UEFI settings to set the **Secure Boot** option to **Microsoft Only**.
-
-3. Restart the device and sign into Windows.
-
-4. Open an elevated PowerShell window and run the following PowerShell cmdlet:
-
- ```powershell
- Resume-BitLocker -MountPoint ":"
- ```
-
-To reset the PCR settings on the TPM, follow these steps:
-
-1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.
-
- For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-2. Suspend BitLocker by opening an elevated Windows PowerShell window and running the following PowerShell cmdlet:
-
- ```powershell
- Suspend-BitLocker -MountPoint ":" -RebootCount 0
- ```
-
- In this command, *\* is the letter that is assigned to the drive.
-
-3. Run the following PowerShell cmdlet:
-
- ```powershell
- Resume-BitLocker -MountPoint ":"
- ```
-
-#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
-
-You can avoid this scenario when installing updates to system firmware or TPM firmware by temporarily suspending BitLocker before applying such updates.
-
-> [!IMPORTANT]
-> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, the PowerShell cmdlet [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker) must be used and the **Reboot Count** parameter must be set to either of the following values:
->
-> - **2** or greater: This value sets the number of times the device will restart before BitLocker Device Encryption resumes. For example, setting the value to **2** will cause BitLocker to resume after the device restarts twice.
->
-> - **0**: This value suspends BitLocker Drive Encryption indefinitely. To resume BitLocker, the PowerShell cmdlet [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker) or another mechanism needs to be used to resume BitLocker protection.
-
-To suspend BitLocker while installing TPM or UEFI firmware updates:
-
-1. Open an elevated Windows PowerShell window and run the following PowerShell cmdlet:
-
- ```powershell
- Suspend-BitLocker -MountPoint ":" -RebootCount 0
- ```
-
- In this PowerShell cmdlet, *\* is the letter that is assigned to the drive.
-
-2. Install the Surface device driver and firmware updates.
-
-3. After installing the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following PowerShell cmdlet:
-
- ```powershell
- Resume-BitLocker -MountPoint ":"
- ```
-
-
-
-
-
-## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
-
-Consider the following scenario:
-
-A device uses TPM 1.2 and runs Windows 10, version 1809. The device also uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time the device is started, the device enters BitLocker Recovery mode and an error message similar to the following error message is displayed:
-
-> Recovery
->
-> Your PC/Device needs to be repaired.
-> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
->
-> Error code 0xc0210000
->
-> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
-
-### Cause of Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
-
-TPM 1.2 doesn't support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-
-### Resolution for Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
-
-To resolve this issue, use one of the following two solutions:
-
-- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
-- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
deleted file mode 100644
index c6628ccd73..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ /dev/null
@@ -1,126 +0,0 @@
----
-title: BitLocker and TPM other known issues
-description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
-ms.reviewer: kaushika
-ms.technology: itpro-security
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 11/08/2022
-ms.custom: bitlocker
----
-
-# BitLocker and TPM: other known issues
-
-This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
-
-## Azure AD: Windows Hello for Business and single sign-on don't work
-
-Consider the following scenario:
-
-An Azure Active Directory (Azure AD)-joined client computer can't authenticate correctly. The computer is experiencing one or more of the following symptoms:
-
-- Windows Hello for Business doesn't work
-- Conditional access fails
-- Single sign-on (SSO) doesn't work
-
-Additionally, in Event Viewer, the computer logs the following Event ID 1026 event under **Windows Logs** > **System**:
-
-> Log Name: System
-> Source: Microsoft-Windows-TPM-WMI
-> Date: \
-> Event ID: 1026
-> Task Category: None
-> Level: Information
-> Keywords:
-> User: SYSTEM
-> Computer: \
-> Description:
-> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.
-> Error: The TPM is defending against dictionary attacks and is in a time-out period.
-> Additional Information: 0x840000
-
-### Cause of Azure AD: Windows Hello for Business and single sign-on don't work
-
-This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.
-
-Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).
-
-### Resolution for Azure AD: Windows Hello for Business and single sign-on don't work
-
-To verify the status of the PRT, use the [dsregcmd.exe /status](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. If the value of the attribute is **No**, it may indicate that the computer couldn't present its certificate for authentication.
-
-To resolve this issue, follow these steps to troubleshoot the TPM:
-
-1. Open the TPM management console (`tpm.msc`) by selecting **Start** and entering **tpm.msc** in the **Search** box.
-
-2. If a notice is displayed to either unlock the TPM or reset the lockout, contact the hardware vendor to determine whether there's a known fix for the issue.
-
-3. If the issue is still not resolved after contacting the hardware vendor, clear and reinitialize the TPM by following the instructions in the article [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
- > [!WARNING]
- > Clearing the TPM can cause data loss.
-
-If in Step 2 there's no notice to either unlock the TPM or reset the lockout, review the UEFI firmware/BIOS settings of the computer for any setting that can be used to reset or disable the lockout.
-
-## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-
-Consider the following scenario:
-
-When trying to open the TPM management console on a Windows computer that uses TPM version 1.2, the following message is displayed:
-
-> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.
-> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY
-> The device that is required by this cryptographic provider is not ready for use.
-> TPM Spec version: TPM v1.2
-
-On a different device that is running the same version of Windows, the TPM management console can be opened.
-
-### Cause (suspected) of TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-
-These symptoms indicate that the TPM has hardware or firmware issues.
-
-### Resolution for TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-
-To resolve the issue:
-
-- Switch the TPM operating mode from version 1.2 to version 2.0 if the device has this option available.
-
-- If switching the TPM from version 1.2 to version 2.0 doesn't resolve the issue, or if the device doesn't have TPM version 2.0 available, contact the hardware vendor to determine whether there's a UEFI firmware update/BIOS update/TPM update for the device. If there's an update available, install the update to see if it resolves the issue.
-
-- If updating the UEFI firmware/BIOS doesn't resolve the issue, or if there's no update available, consider replacing the device motherboard by contacting the hardware vendor. After the motherboard has been replaced, switch the TPM operating mode from version 1.2 to version 2.0 if this option is available.
-
- > [!WARNING]
- > Replacing the motherboard will cause data in the TPM to be lost.
-
-## Devices don't join hybrid Azure AD because of a TPM issue
-
-When trying to join a device to a hybrid Azure AD, the join operation appears to fail.
-
-To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
-
-- **AzureAdJoined: YES**
-- **DomainName: \<*on-prem Domain name*\>**
-
-If the value of **AzureADJoined** is **No**, the join operation failed.
-
-### Causes and resolutions for devices don't join hybrid Azure AD because of a TPM issue
-
-This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events are displayed, as shown in the following table:
-
-|Message |Reason | Resolution|
-| - | - | - |
-|*NTE\_BAD\_KEYSET (0x80090016/-2146893802)* |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. When creating a sysprep image, make sure to use a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
-|*TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641)* |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
-|*TPM\_E\_NOTFIPS (0x80280036/-2144862154*) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
-|*NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775)* |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
-
-For more information about TPM issues, see the following articles:
-
-- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering)
-- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
-- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 634bbc6d29..b322223819 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -204,9 +204,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
```
-> [!NOTE]
-> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11.
-
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 7118a806da..e9a396f602 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -2,17 +2,17 @@
metadata:
title: FAQ - Microsoft Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
- ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
- author: denisebmsft
- ms.author: deniseb
+ ms.prod: windows-client
+ ms.technology: itpro-security
+ author: vinaypamnani-msft
+ ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.custom: asr
- ms.technology: windows-sec
ms.topic: faq
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 4c6c5ddd2d..39110f95c1 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s
### Possible values
-- A user-defined number of minutes from 0 through 99,999
+- A user-defined number of minutes from 0 through 99,999.
- For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy.
+ For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy.
- Not defined
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 3781352906..fb87a0fd40 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -30,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
-1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive.
+1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index 6f8d77a67f..f4b43a2558 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -61,7 +61,7 @@ The steps to use Intune's custom OMA-URI functionality are:
2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 (file)
- - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
+ - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"]
> 
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index 89e08b0200..cae3c81088 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -43,6 +43,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**.
+ :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png":::
+
5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.
6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*.
diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png
new file mode 100644
index 0000000000..ba2de148f1
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 7f5b3c7832..58fb302ed7 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -229,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
### VSCodeInstall.cmd
+Download vscode to `downloads` folder and run from `downloads` folder
+
```batch
REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
+C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
```
### VSCode.wsb
@@ -244,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
C:\SandboxScripts
+ C:\Users\WDAGUtilityAccount\Downloads\sandbox
true
C:\CodingProjects
+ C:\Users\WDAGUtilityAccount\Documents\Projects
false
- C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd
+ C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd
```
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 5c5fc54974..d432c8a8ff 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -24,3 +24,12 @@
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
+- name: Deprecated and removed Windows features
+ expanded: false
+ items:
+ - name: Windows client features lifecycle
+ href: feature-lifecycle.md
+ - name: Deprecated Windows features
+ href: deprecated-features.md
+ - name: Removed Windows features
+ href: removed-features.md
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/whats-new/deprecated-features.md
similarity index 98%
rename from windows/deployment/planning/windows-10-deprecated-features.md
rename to windows/whats-new/deprecated-features.md
index c57fba110d..12880bd7ef 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,12 +1,12 @@
---
-title: Deprecated features in Windows client
+title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
ms.date: 10/28/2022
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
+author: mestew
+ms.author: mstewart
manager: aaroncz
ms.reviewer:
ms.topic: article
@@ -19,11 +19,11 @@ ms.topic: article
- Windows 10
- Windows 11
-Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](windows-10-removed-features.md).
+Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
-To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md).
+To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md).
The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/whats-new/feature-lifecycle.md
similarity index 80%
rename from windows/deployment/planning/features-lifecycle.md
rename to windows/whats-new/feature-lifecycle.md
index 18da27cab7..11eaa12e7e 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -1,11 +1,11 @@
---
title: Windows client features lifecycle
-description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
+description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: windows-client
ms.localizationpriority: medium
-author: frankroj
+author: mestew
manager: aaroncz
-ms.author: frankroj
+ms.author: mstewart
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.technology: itpro-fundamentals
@@ -27,17 +27,17 @@ For information about features that are impacted when you upgrade from Windows 1
The following topic lists features that are no longer being developed. These features might be removed in a future release.
-[Windows 10 features we're no longer developing](windows-10-deprecated-features.md)
+[Deprecated Windows features](deprecated-features.md)
## Features removed
The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
-[Windows 10 features we removed](windows-10-removed-features.md)
+[Removed Windows features](removed-features.md)
## Terminology
-The following terms can be used to describe the status that might be assigned to a feature during its lifecycle.
+The following terms can be used to describe the status that might be assigned to a feature during its lifecycle:
- **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
- **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
@@ -47,4 +47,4 @@ The following terms can be used to describe the status that might be assigned to
## Also see
-[Windows 10 release information](/windows/release-health/release-information)
+[Windows release information](/windows/release-health/release-information)
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 0396341be3..d1f1ec51df 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -56,9 +56,9 @@ landingContent:
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
- url: /windows/deployment/planning/windows-10-deprecated-features
+ url: deprecated-features.md
- text: Features and functionality removed in Windows
- url: /windows/deployment/planning/windows-10-removed-features
+ url: removed-features.md
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/whats-new/removed-features.md
similarity index 98%
rename from windows/deployment/planning/windows-10-removed-features.md
rename to windows/whats-new/removed-features.md
index 3b686d66a9..ac21df98d7 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -3,8 +3,8 @@ title: Features and functionality removed in Windows client
description: In this article, learn about the features and functionality that have been removed or replaced in Windows client.
ms.prod: windows-client
ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
+author: mestew
+ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
@@ -21,14 +21,14 @@ ms.date: 10/28/2022
Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client.
-For more information about features that might be removed in a future release, see [Deprecated features for Windows client](windows-10-deprecated-features.md).
+For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md).
> [!NOTE]
> To get early access to new Windows builds and test these changes yourself, join the [Windows Insider program](https://insider.windows.com).
For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
-To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md).
+To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md).
The following features and functionalities have been removed from the installed product image for Windows client. Applications or code that depend on these features won't function in the release when it was removed, or in later releases.
@@ -76,4 +76,4 @@ The following features and functionalities have been removed from the installed
|Microsoft Paint | This application won't be available for languages that aren't on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
-|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
+|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 5030a8b526..d56bac40df 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -19,7 +19,7 @@ Below is a list of some of what's new in Information Technology (IT) pro feature
For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](/windows/deployment/planning/windows-10-removed-features).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md).
## Configuration
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 67c62a1a1f..f901253d51 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -14,7 +14,7 @@ ms.technology: itpro-fundamentals
# What's new in Windows 10, version 1909 for IT Pros
**Applies to**
-- Windows 10, version 1909
+- Windows 10, version 1909
This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903.
@@ -66,7 +66,7 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
## Deployment
@@ -94,7 +94,7 @@ A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be rel
## Microsoft Connected Cache
-Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need.
+Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need.
## Accessibility
@@ -126,10 +126,10 @@ General battery life and power efficiency improvements for PCs with certain proc
[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
+[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
-[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
+[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index c573b18f86..5762e44a56 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -262,5 +262,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
-- [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
+- [Features and functionality removed in Windows 10](removed-features.md): Removed features.
+- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index ac69c0d7b2..1b1b11fb62 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -146,5 +146,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index 67ec5e934e..2e40e1ddd7 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -94,10 +94,10 @@ This release includes the following enhancements and issues fixed:
- Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions.
- screen rendering after opening games with certain hardware configurations.
- startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on.
-- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, “KRB_GENERIC_ERROR”, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
+- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
- high memory and CPU utilization in Microsoft Defender for Endpoint.
- We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints.
-- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, “WDAG Report – Container: Error: 0x80070003, Ext error: 0x00000001”. This issue occurs after installing the .NET update KB4565627.
+- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627.
- an issue that prevents wevtutil from parsing an XML file.
- failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
- We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode.
@@ -131,7 +131,7 @@ This release includes the following enhancements and issues fixed:
[Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.
[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
-[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
+[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.
+[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index cbb7d6dbb6..e72a69b1d0 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -84,7 +84,7 @@ The following configuration requirements apply to VMs running Windows 11.
- Generation: 2 \*
- Storage: 64 GB or greater
- Security:
- - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled
+ - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled
- Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager)
- General settings: Secure boot capable, virtual TPM enabled
- Memory: 4 GB or greater