deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 09:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-10468867

Browse Source
This commit is contained in:
LizRoss 2017-01-20 09:30:54 -08:00
commit 65bef2b2d1
33 changed files with 2947 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface-hub/TOC.md
View File

@ -36,4 +36,5 @@
### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)
## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Change history for Surface Hub](change-history-surface-hub.md)

1
devices/surface-hub/change-history-surface-hub.md
View File

@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
| New or changed topic | Description |
| --- | --- |
| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | New |
| [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. |
| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. |

5
devices/surface-hub/index.md
View File

@ -34,7 +34,8 @@ Documents related to the Microsoft Surface Hub.
<td align="left"><p>[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)</p></td>
<td align="left"><p>This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.</p></td>
</tr>
<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr><tr>
<td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
<tr><td>[Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)</td><td>This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.</td></tr>
<tr><td>[How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)</td><td>This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. </td></tr>
<tr><td>[Change history for Surface Hub](change-history-surface-hub.md)</td><td>This topic lists new and updated topis in the Surface Hub documentation.</td></tr>
</tbody>
</table>

121
devices/surface-hub/surface-hub-wifi-direct.md Normal file
View File

@ -0,0 +1,121 @@
---
title: How Surface Hub addresses Wi-Fi Direct security issues
description: This topic provides guidance on Wi-Fi Direct security risks.
keywords: change history
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerMS
localizationpriority: medium
---
# How Surface Hub addresses Wi-Fi Direct security issues
Microsoft Surface Hub is an all-in-one productivity device that enables teams to better brainstorm, collaborate, and share ideas. Surface Hub relies on Miracast for wireless projection by using Wi-Fi Direct.
This topic provides guidance on Wi-Fi Direct security vulnerabilities, how Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. This hardening information will help customers with high security requirements understand how best to protect their Surface Hub connected networks and data in transit.
The intended audiences for this topic include IT and network administrators interested in deploying Microsoft Surface Hub in their corporate environment with optimal security settings.
## Overview
Microsoft Surface Hub's security depends extensively on Wi-Fi Direct / Miracast and the associated 802.11, Wi-Fi Protected Access (WPA2), and Wireless Protected Setup (WPS) standards. Since the device only supports WPS (as opposed to WPA2 Pre-Shared Key (PSK) or WPA2 Enterprise), issues traditionally associated with 802.11 encryption are simplified by design.
It is important to note Surface Hub operates on par with the field of Miracast receivers, meaning that it is protected from, and vulnerable to, a similar set of exploits as all WPS-based wireless network devices. But Surface Hubs implementation of WPS has extra precautions built in, and its internal architecture helps prevent an attacker even after compromising the Wi-Fi Direct / Miracast layer to move past the network interface onto other attack surfaces and connected enterprise networks see [Wi-Fi Direct vulnerabilities and how Surface Hub addresses them](#vulnerabilities).
## Wi-Fi Direct background
Miracast is part of the Wi-Fi Display standard, which itself is supported by the Wi-Fi Direct protocol. These standards are supported in modern mobile devices for screen sharing and collaboration.
Wi-Fi Direct or Wi-Fi "Peer to Peer" (P2P) is a standard released by the Wi-Fi Alliance for "Ad-Hoc" networks. This allows supported devices to communicate directly and create groups of networks without requiring a traditional Wi-Fi Access Point or an Internet connection.
Security for Wi-Fi Direct is provided by WPA2 using the WPS standard. Authentication mechanism for devices can be a numerical pin (WPS-PIN), a physical or virtual Push Button (WPS-PBC), or an out-of-band message such as Near Field Communication (WPS-OOO). The Microsoft Surface Hub supports both Push Button (which is the default) and PIN methods.
In Wi-Fi Direct, groups are created as either "persistent," allowing for automatic reconnection using stored key material, or "temporary," where devices cannot re-authenticate without user intervention or action. Wi-Fi Direct groups will typically determine a Group Owner (GO) through a negotiation protocol, which mimics the "station" or "Access Point" functionality for the established Wi-Fi Direct Group. This Wi-Fi Direct GO provides authentication (via an “Internal Registrar”), and facilitate upstream network connections. For Surface Hub, this GO negotiation does not take place, as the network only operates in "autonomous" mode, where Surface Hub is always the Group Owner. Finally, Surface Hub does not and will not join other Wi-Fi Direct networks itself as a client.
<span id="vulnerabilities" />
## Wi-Fi Direct vulnerabilities and how Surface Hub addresses them
**Vulnerabilities and attacks in the Wi-Fi Direct invitation, broadcast, and discovery process**: Wi-Fi Direct / Miracast attacks may target weaknesses in the group establishment, peer discovery, device broadcast, or invitation processes.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| The discovery process may remain active for an extended period of time, which could allow Invitations and connections to be established without the intent of the device owner. | Surface Hub only operates as the Group Owner (GO), which does not perform the client Discovery or GO negotiation process. Broadcast can be turned off by fully disabling wireless projection. |
| Invitation and discovery using PBC allows an unauthenticated attacker to perform repeated connection attempts or unauthenticated connections are automatically accepted. | By requiring WPS PIN security, Administrators can reduce the potential for such unauthorized connections or "Invitation bombs" (where invitations are repeatedly sent until a user mistakenly accepts one). |
**Wi-Fi Protected Setup (WPS) Push Button Connect (PBC) vs PIN Entry**: Public weaknesses have been demonstrated in WPS-PIN method design and implementation, other vulnerabilities exist within WPS-PBC involving active attacks against a protocol designed for one time use.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| WPS-PBC is vulnerable to active attackers. As stated within the WPS specification: "The PBC method has zero bits of entropy and only protects against passive eavesdropping attacks. PBC protects against eavesdropping attacks and takes measures to prevent a device from joining a network that was not selected by the device owner. The absence of authentication, however, means that PBC does not protect against active attack". Attackers can use selective wireless jamming or other potential denial-of-service vulnerabilities in order to trigger an unintended Wi-Fi Direct GO or connection. Additionally, an active attacker, with only physical proximity, can repeatedly teardown any Wi-Fi Direct group and attempt the described attack until it is successful. |Enable WPS-PIN security within Surface Hubs configuration. As discussed within the Wi-Fi WPS specification: "The PBC method should only be used if no PIN-capable Registrar is available and the WLAN user is willing to accept the risks associated with PBC". |
| WPS-PIN implementations can be brute-forced using a Vulnerability within the WPS standard. Due to the design of split PIN verification, a number of implementation vulnerabilities occurred in the past several years across a wide range of Wi-Fi hardware manufacturers. In 2011 two researchers (Stefan Viehböck and Craig Heffner) released information on this vulnerability and tools such as "Reaver" as a proof of concept. | The Microsoft implementation of WPS within Surface Hub changes the pin every 30 seconds. In order to crack the pin, an attacker must work through the entire exploit in less than 30 seconds. Given the current state of tools and research in this area, a brute-force pin-cracking attack through WPS is unlikely. |
| WPS-PIN can be cracked using an offline attack due to weak initial key (E-S1,E S2) entropy. In 2014, Dominique Bongard discussed a "Pixie Dust" attack where poor initial randomness for the pseudo random number generator (PRNG) within the wireless device lead to the ability to perform an offline brute-force attack. | The Microsoft implementation of WPS within Surface Hub is not susceptible to this offline PIN brute-force attack. The WPS-PIN is randomized for each connection. |
**Unintended exposure of network services**: Network daemons intended for Ethernet or WLAN services may be accidentally exposed due to misconfiguration (such as binding to “all”/0.0.0.0 interfaces), a poorly configured device firewall, or missing firewall rules altogether.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Misconfiguration binds a vulnerable or unauthenticated network service to "all" interfaces, which includes the Wi-Fi Direct interface. This potentially exposes services not intended to be accessible to Wi-Fi Direct clients, which may be weakly or automatically authenticated. | Within Surface Hub, the default firewall rules only permit the required TCP and UDP network ports and by default deny all inbound connections. Strong authentication can be configured by enabling the WPS-PIN mode. |
**Bridging Wi-Fi Direct and other wired or wireless networks**: While network bridging between WLAN or Ethernet networks is a violation of the Wi-Fi Direct specification, such a bridge or misconfiguration may effectively lower or remove wireless access controls for the internal corporate network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Wi-Fi Direct devices could allow unauthenticated or poorly authenticated access to bridged network connections. This may allow Wi-Fi Direct networks to route traffic to internal Ethernet LAN or other infrastructure or enterprise WLAN networks in violation of existing IT security protocols. | Surface Hub cannot be configured to bridge Wireless interfaces or allow routing between disparate networks. The default firewall rules add defense in depth to any such routing or bridge connections. |
**The use of Wi-Fi Direct “legacy” mode**: Exposure to unintended networks or devices when operating in “legacy” mode may present a risk. Device spoofing or unintended connections could occur if WPS-PIN is not enabled.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By supporting both Wi-Fi Direct and 802.11 infrastructure clients, the system is operating in a "legacy" support mode. This may expose the connection setup phase indefinitely, allowing for groups to be joined or devices invited to connect well after their intended setup phase terminates. | Surface Hub does not support Wi-Fi Direct legacy clients. Only Wi-Fi Direct connections can be made to Surface Hub even when WPS-PIN mode is enabled. |
**Wi-Fi Direct GO negotiation during connection setup**: The Group Owner within Wi-Fi Direct is analogous to the “Access Point” in a traditional 802.11 wireless network. The negotiation can be gamed by a malicious device.
|Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| If groups are dynamically established or if the Wi-Fi Direct device can be made to join new groups, the Group Owner (GO) negotiation can be won by a malicious device that always specifies the max Group Owner "intent" value of 15. (Unless such device is configured to always be a Group Owner, in which case the connection fails.) | Surface Hub takes advantage of Wi-Fi Direct "Autonomous mode", which skips the GO negotiation phase of the connection setup. Surface Hub is always the Group Owner. |
**Unintended or malicious Wi-Fi deauthentication**: Wi-Fi deauthentication is an age-old attack that can be used by a physically local attacker to expedite information leaks against the connection setup process, trigger new four-way handshakes, target Wi-Fi Direct WPS-PBC for active attack, or create denial-of-service attacks.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| Deauthentication packets can be sent by an unauthenticated attacker to cause the station to re-authenticate and sniff the resulting handshake. Cryptographic or brute-force attacks can be attempted on the resulting handshake. Mitigations for these attack include: enforcing length and complexity policies for pre-shared keys; configuring the Access Point (if applicable) to detect malicious levels of deauthentication packets; and using WPS to automatically generate strong keys. In PBC mode the user is interacting with a physical or virtual button to allow arbitrary device association. This process should happen only at setup within a small window, once the button is automatically "pushed", the device will accept any station associating via a canonical PIN value (all zeros). Deauthentication can force a repeated setup process. | The current Surface Hub design uses WPS in PIN or PBC mode. No PSK configuration is permitted, helping enforce the generation of strong keys. It is recommended to enable WPS-PIN. |
| Beyond denial-of-service attacks, deauthentication packets can also be used to trigger a reconnect which re-opens the window of opportunity for active attacks against WPS-PBC. | Enable WPS-PIN security within Surface Hubs configuration. |
**Basic wireless information disclosure**: Wireless networks, 802.11 or otherwise, are inherently sources of information disclosure. Although the information is largely connection or device metadata, it remains an accepted risk for any 802.11 administrator. Wi-Fi Direct with device authentication via WPS-PIN effectively reveals the same information as a PSK or Enterprise 802.11 network.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| During broadcast, connection setup, or even with already encrypted connections, basic information about the devices and packet sizes is wirelessly transmitted. At a basic level, a local attacker within wireless range can determine the names of wireless devices, the MAC addresses of communicating equipment, and possibly other details such as the version of the wireless stack, packet sizes, or the configured Access Point or Group Owner options by examining the relevant 802.11 Information Elements. | The Wi-Fi Direct network employed by Surface Hub cannot be further protected from metadata leaks, in the same way 802.11 Enterprise or PSK wireless networks also leak such metadata. Physical security and removing potential threats from the wireless proximity can be used to reduce any potential information leaks. |
**Wireless evil twin or spoofing attacks**: Spoofing the wireless name is a trivial and known exploit for a physically local attacker in order to lure unsuspecting or mistaken users to connect.
| Wi-Fi Direct Vulnerability | Surface Hub Mitigation |
| --- | --- |
| By spoofing or cloning the wireless name or "SSID" of the target network, an attacker may trick the user into connecting to fake malicious network. By supporting unauthenticated, auto-join Miracast an attacker could capture the intended display materials or attempt to perform network attacks on the connecting device. | While no specific protections against joining a spoofed Surface Hub are in place, this attack is partially mitigated in two ways. First, any potential attack must be physically within Wi-Fi range. Second, this attack is only possible during the very first connection. Subsequent connections use a persistent Wi-Fi Direct group and Windows will remember and prioritize this prior connection during future Hub use. (Note: Spoofing the MAC address, Wi-Fi channel and SSID simultaneously was not considered for this report and may result in inconsistent Wi-Fi behavior.) Overall this weakness is a fundamental problem for any 802.11 wireless network not using Enterprise WPA2 protocols such as EAP-TLS or EAP-PWD, which are not supported in Wi-Fi Direct. |
## Surface Hub hardening guidelines
Surface Hub is designed to facilitate collaboration and allow users to start or join meetings quickly and efficiently. As such, the default Wi-Fi Direct settings for Surface Hub are optimized for this scenario.
For users who require additional security around the wireless interface, we recommend Surface Hub users enable the WPS-PIN security setting. This disables WPS-PBC mode and offers client authentication, and provides the strongest level of protection by preventing any unauthorized connections to Surface Hub.
If concerns remain around authentication and authorization of a Surface Hub, we recommend users connect the device to a separate network, either Wi-Fi (such as a "guest" Wi-Fi network) or using separate Ethernet network (preferably an entirely different physical network, but a VLAN can also provide some added security). Of course, this approach may preclude connections to internal network resources or services, and may require additional network configurations to regain access.
Also recommended:
- [Install regular system updates.](manage-windows-updates-for-surface-hub.md)
- Update the Miracast settings to disable auto-present mode.
## Learn more
- [Wi-Fi Direct specifications](http://www.wi-fi.org/discover-wi-fi/wi-fi-direct)
- [Wireless Protected Setup (WPS) specification](http://www.wi-fi.org/discover-wi-fi/wi-fi-protected-setup)

3
windows/deploy/TOC.md
View File

@ -11,6 +11,9 @@
#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
#### [Review site discovery](upgrade-analytics-review-site-discovery.md)
### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)

BIN
windows/deploy/images/ISE.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/deploy/images/PoC-big.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/deploy/images/PoC.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 95 KiB

After

Width:  |  Height:  |  Size: 136 KiB

BIN
windows/deploy/images/deploy-finish.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/deploy/images/disk2vhd-convert.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/deploy/images/disk2vhd-gen2.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deploy/images/disk2vhd.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deploy/images/disk2vhd4.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/deploy/images/image.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deploy/images/scanos.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/deploy/images/sccm-asset.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/deploy/images/sccm-assets.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 131 KiB

BIN
windows/deploy/images/sccm-client.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/deploy/images/sccm-collection.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/deploy/images/sccm-install-os.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/deploy/images/sccm-post-refresh.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 385 KiB

BIN
windows/deploy/images/sccm-pxe.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/deploy/images/sccm-site.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/deploy/images/sccm-software-cntr.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

1
windows/deploy/index.md
View File

@ -17,6 +17,7 @@ Learn about deploying Windows 10 for IT professionals.
|------|------------|
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |

634
windows/deploy/windows-10-poc-mdt.md Normal file
View File

@ -0,0 +1,634 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
---
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
- Windows 10
**Important**: This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
## In this guide
This guide provides instructions to install and configure the Microsoft Deployment Toolkit (MDT) to deploy a Windows 10 image.
Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
<div style='font-size:9.0pt'>
<TABLE border=1 cellspacing=0 cellpadding=0>
<TR><TD BGCOLOR="#a0e4fa"><B>Topic</B><TD BGCOLOR="#a0e4fa"><B>Description</B><TD BGCOLOR="#a0e4fa"><B>Time</B>
<TR><TD>[About MDT](#about-mdt)<TD>A high-level overview of the Microsoft Deployment Toolkit (MDT).<TD>Informational
<TR><TD>[Install MDT](#install-mdt)<TD>Download and install MDT.<TD>40 minutes
<TR><TD>[Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)<TD>A reference image is created to serve as the template for deploying new images.<TD>90 minutes
<TR><TD>[Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)<TD>The reference image is deployed in the PoC environment.<TD>60 minutes
<TR><TD>[Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)<TD>Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.<TD>60 minutes
<TR><TD>[Replace a computer with Windows 10](#replace-a-computer-with-windows-10)<TD>Back up an existing client computer, then restore this backup to a new computer.<TD>60 minutes
<TR><TD>[Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)<TD>Log locations and troubleshooting hints.<TD>Informational
</TABLE>
</div>
## About MDT
MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
- LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
- ZTI is fully automated, requiring no user interaction and is performed using MDT and System Center Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and System Center Configuration Manager.
## Install MDT
1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
```
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
```
2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1607. Installation might require several minutes to acquire all components.
3. If desired, re-enable IE Enhanced Security Configuration:
```
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
Stop-Process -Name Explorer
```
## Create a deployment share and reference image
A reference image serves as the foundation for Windows 10 devices in your organization.
1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
```
Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
```
2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
6. Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **C:\MDTBuildLab**<BR>
- Share name: **MDTBuildLab$**<BR>
- Deployment share description: **MDT build lab**<BR>
- Options: click **Next** to accept the default<BR>
- Summary: click **Next**<BR>
- Progress: settings will be applied<BR>
- Confirmation: click **Finish**
7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
10. Use the following settings for the Import Operating System Wizard:
- OS Type: **Full set of source files**<BR>
- Source: **D:\\** <BR>
- Destination: **W10Ent_x64**<BR>
- Summary: click **Next**
- Progress: wait for files to be copied
- Confirmation: click **Finish**
>For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic in the TechNet library.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**<BR>
- Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
- Task sequence comments: **Reference Build**<BR>
- Template: **Standard Client Task Sequence**
- Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- Specify Product Key: **Do not specify a product key at this time**
- Full Name: **Contoso**
- Organization: **Contoso**
- Internet Explorer home page: **http://www.contoso.com**
- Admin Password: **Do not specify an Administrator password at this time**
- Summary: click **Next**
- Confirmation: click **Finish**
12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
>Note: Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
18. Click **OK** to complete editing the task sequence.
19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
20. Replace the default rules with the following text:
```
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
UserDataLocation=NONE
DoCapture=YES
OSInstall=Y
AdminPassword=pass@word1
TimeZoneName=Pacific Standard Time
OSDComputername=#Left("PC-%SerialNumber%",7)#
JoinWorkgroup=WORKGROUP
HideShell=YES
FinishAction=SHUTDOWN
DoNotCreateExtraPartition=YES
ApplyGPOPack=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipSummary=YES
SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=NO
```
21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
```
[Settings]
Priority=Default
[Default]
DeployRoot=\\SRV1\MDTBuildLab$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
22. Click **OK** to complete the configuration of the deployment share.
23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice. The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
>Hint: To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
<div style='font-size:8.0pt'>
<pre style="overflow-y: visible">
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
Set-VMDvdDrive REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
Start-VM REFW10X64-001
vmconnect localhost REFW10X64-001
</pre>
</div>
The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
- Install the Windows 10 Enterprise operating system.
- Install added applications, roles, and features.
- Update the operating system using Windows Update (or WSUS if optionally specified).
- Stage Windows PE on the local disk.
- Run System Preparation (Sysprep) and reboot into Windows PE.
- Capture the installation to a Windows Imaging (WIM) file.
- Turn off the virtual machine.<BR><BR>
This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
## Deploy a Windows 10 image using MDT
This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
- **Deployment share path**: C:\MDTProd
- **Share name**: MDTProd$
- **Deployment share description**: MDT Production
- **Options**: accept the default
2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
![custom image](images/image.png)
### Create the deployment task sequence
1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: W10-X64-001
- Task sequence name: Windows 10 Enterprise x64 Custom Image
- Task sequence comments: Production Image
- Select Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 Custom Image
- Specify Product Key: Do not specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: http://www.contoso.com
- Admin Password: pass@word1
### Configure the MDT production deployment share
1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
```
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
```
2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
```
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
OSDComputername=#Left("PC-%SerialNumber%",7)#
AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=administrator
DomainAdminDomain=CONTOSO
DomainAdminPassword=pass@word1
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
USMTMigFiles001=MigApp.xml
USMTMigFiles002=MigUser.xml
HideShell=YES
ApplyGPOPack=NO
SkipAppsOnUpgrade=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=YES
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=NO
EventService=http://SRV1:9800
```
**Note**: The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
>In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
```
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
For example, to migrate **all** users on the computer, replace this line with the following:
```
ScanStateArgs=/all
```
For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
```
[Settings]
Priority=Default
[Default]
DeployRoot=\\SRV1\MDTProd$
UserDomain=CONTOSO
UserID=MDT_BA
UserPassword=pass@word1
SkipBDDWelcome=YES
```
5. Click **OK** when finished.
### Update the deployment share
1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
3. Click **Finish** when the update is complete.
### Enable deployment monitoring
1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
4. Close Internet Explorer.
### Configure Windows Deployment Services
1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
```
WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
WDSUTIL /Set-Server /AnswerClients:All
```
2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
### Deploy the client image
1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway.
>**Note**: Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
```
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
```
New-VM Name "PC2" NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
```
>Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
3. Start the new VM and connect to it:
```
Start-VM PC2
vmconnect localhost PC2
```
4. When prompted, hit ENTER to start the network boot process.
5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
```
Enable-NetAdapter "Ethernet 2"
```
7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
![finish](images/deploy-finish.png)
This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
## Refresh a computer with Windows 10
This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
If the PC1 VM is not already running, then start and connect to it:
```
Start-VM PC1
vmconnect localhost PC1
```
1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Checkpoint-VM -Name PC1 -SnapshotName BeginState
```
2. Sign on to PC1 using the CONTOSO\Administrator account.
>Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
3. Open an elevated command prompt on PC1 and type the following:
```
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
**Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer.
4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
5. Choose **Do not back up the existing computer** and click **Next**.
**Note**: The USMT will still back up the computer.
6. Lite Touch Installation will perform the following actions:
- Back up user settings and data using USMT.
- Install the Windows 10 Enterprise X64 operating system.
- Update the operating system via Windows Update.
- Restore user settings and data using USMT.
You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings.
7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Checkpoint-VM -Name PC1 -SnapshotName RefreshState
```
9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
Start-VM PC1
vmconnect localhost PC1
```
10. Sign in to PC1 using the contoso\administrator account.
## Replace a computer with Windows 10
At a high level, the computer replace process consists of:<BR>
- A special replace task sequence that runs the USMT backup and an optional full Window Imaging (WIM) backup.<BR>
- A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
### Create a backup-only task sequence
1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
```
New-Item -Path C:\MigData -ItemType directory
New-SmbShare -Name MigData$ -Path C:\MigData -ChangeAccess EVERYONE
icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
```
4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
5. Name the new folder **Other**, and complete the wizard using default options.
6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
- **Task sequence ID**: REPLACE-001
- **Task sequence name**: Backup Only Task Sequence
- **Task sequence comments**: Run USMT to back up user data and settings
- **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
### Run the backup-only task sequence
1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
```
whoami
```
2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
```
Remove-Item c:\minint -recurse
Remove-Item c:\_SMSTaskSequence -recurse
Restart-Computer
```
2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
```
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
3. Complete the deployment wizard using the following:
- **Task Sequence**: Backup Only Task Sequence
- **User Data**: Specify a location: **\\SRV1\MigData$\PC1**
- **Computer Backup**: Do not back up the existing computer.
4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.
5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
```
PS C:\> dir C:\MigData\PC1\USMT
Directory: C:\MigData\PC1\USMT
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 9/6/2016 11:34 AM 14248685 USMT.MIG
```
### Deploy PC3
1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
```
New-VM Name "PC3" NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
```
2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
```
Disable-NetAdapter "Ethernet 2" -Confirm:$false
```
3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Start-VM PC3
vmconnect localhost PC3
```
4. When prompted, press ENTER for network boot.
6. On PC3, ue the following settings for the Windows Deployment Wizard:
- **Task Sequence**: Windows 10 Enterprise x64 Custom Image
- **Move Data and Settings**: Do not move user data and settings
- **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1**
5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
```
Enable-NetAdapter "Ethernet 2"
```
7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure.
## Troubleshooting logs, events, and utilities
Deployment logs are available on the client computer in the following locations:
- Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
- After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
- After deployment: %WINDIR%\TEMP\DeploymentLogs
You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
## Related Topics
[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)<BR>
[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md)
 

1040
windows/deploy/windows-10-poc-sc-config-mgr.md Normal file
View File

File diff suppressed because it is too large Load Diff

1074
windows/deploy/windows-10-poc.md Normal file
View File

File diff suppressed because it is too large Load Diff

2
windows/keep-secure/bitlocker-countermeasures.md
View File

@ -53,7 +53,7 @@ Using the digital signature, UEFI verifies that the bootloader was signed using
If the bootloader passes these two tests, UEFI knows that the bootloader isnt a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files havent been changed.
All Windows 8certified devices must meet several requirements related to UEFI-based Secure Boot:
Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
- They must have Secure Boot enabled by default.
- They must trust Microsofts certificate (and thus any bootloader Microsoft has signed).

48
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -24,7 +24,7 @@ localizationpriority: high
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com).
1. Login to the [Azure management portal](https://ms.portal.azure.com).
2. Select **Active Directory**.
@ -53,14 +53,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
14. Open a web browser and connect to the following URL: <br>
```text
https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234
```
An Azure login page appears.
> [!NOTE]
> - Replace *tenant ID* with your actual tenant ID.
> - Keep the client secret as is. This is a dummy value, but the parameter must appear.
14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`<br>
An Azure login page appears.
> [!NOTE]
> - Replace *tenant ID* with your actual tenant ID.
> - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear.
15. Sign in with the credentials of a user from your tenant.
@ -80,7 +78,37 @@ An Azure login page appears.
23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
## Obtain a refresh token using an events URL
Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
>[!NOTE]
>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Client ID
- OAuth 2 Client secret
You'll use these values to obtain a refresh token.
>[!IMPORTANT]
>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
### Obtain a refresh token
1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
>[!NOTE]
>- Replace the *client ID* value with the one you got from your AAD application.
>- Replace *tenant ID* with your actual tenant ID.
>- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
3. Save the refresh token which you'll find it the `<RefreshToken></RefreshToken>`value. You'll need this value when configuring your SIEM tool.
After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

39
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -25,26 +25,36 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
## Before you begin
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
> [!NOTE]
> **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
> **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
>
- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
- **client_ID**: OAuth 2 Client ID
- **client_secret**: OAuth 2 Client secret
- **auth_url**: ```https://login.microsoftonline.com/<tenantID>?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
>!NOTE
>Replace *tenantID* with your tenant ID.
- **token_url**: `https://login.microsoftonline.com/<tenantID>/oauth2/token`
>!NOTE
>Replace the *tenantID* value with your tenant ID.
- **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Leave the value blank
- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. The
2. Save the *wdatp-connector.properties* file into a folder of your choosing.
2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
3. Open an elevated command-line:
@ -69,7 +79,7 @@ The following steps assume that you have completed all the required steps in [Be
<td>Type in the name of the client property file. It must match the client property file.</td>
</tr>
<td>Events URL</td>
<td>`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</td>
<tr>
<td>Authentication Type</td>
<td>OAuth 2</td>
@ -78,7 +88,8 @@ The following steps assume that you have completed all the required steps in [Be
<td>Select *wdatp-connector.properties*.</td>
<tr>
<td>Refresh Token</td>
<td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td>
<td>You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token. <br> For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
</td>
</tr>
</tr>
</table>

9
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -25,9 +25,9 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
- Contact the Windows Defender ATP team to get your refresh token
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
@ -56,7 +56,8 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
</tr>
<tr>
<td>Endpoint URL</td>
<td> https://<i></i>DataAccess-PRD.trafficmanager.net:444/api/alerts</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
</tr>
<tr>
<td>HTTP Method</td>

BIN
windows/keep-secure/images/atp-refresh-token.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 224 KiB