This command is selected by default.| - |**Load Noise Filter File**|Opens the **Open Noise Filter File** dialog box, in which you can load an existing noise filter (.xml) file.| - |**Export Noise Filter File**|Opens the **Save Noise Filter File** dialog box, in which you can save filter settings as a noise filter (.xml) file.| - |**Only Display Records with Application Name in StackTrace**|Filters out records that do not have the application name in the stack trace.
However, because the SUA tool captures only the first 32 stack frames, this command can also filter out real issues with the application where the call stack is deeper than 32 frames.| - |**Show More Details in StackTrace**|Shows additional stack frames that are related to the SUA tool, but not related to the diagnosed application.| - |**Warn Before Deleting AppVerifier Logs**|Displays a warning message before the SUA tool deletes all of the existing SUA-related log files on the computer.
This command is selected by default.| - |**Logging**|Provides the following logging-related options:
To maintain a manageable file size, we recommend that you do not select the option to show informational messages.| - - diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md deleted file mode 100644 index 1b714e4247..0000000000 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Available Data Types and Operators in Compatibility Administrator (Windows 10) -description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Available Data Types and Operators in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool provides a way to query your custom-compatibility databases. - -## Available Data Types - -Customized-compatibility databases in Compatibility Administrator contain the following data types. - -- **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value. - -- **String**. A series of alphanumeric characters manipulated as a group. - -- **Boolean**. A value of True or False. - -## Available Attributes - -The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator. - -|Attribute|Description|Data type| -|--- |--- |--- | -|APP_NAME|Name of the application.|String| -|DATABASE_GUID|Unique ID for your compatibility database.|String| -|DATABASE_INSTALLED|Specifies if you have installed the database.|Boolean| -|DATABASE_NAME|Descriptive name of your database.|String| -|DATABASE_PATH|Location of the database on your computer.|String| -|FIX_COUNT|Number of compatibility fixes applied to a specific application.|Integer| -|FIX_NAME|Name of your compatibility fix.|String| -|MATCH_COUNT|Number of matching files for a specific, fixed application.|Integer| -|MATCHFILE_NAME|Name of a matching file used to identify a specific, fixed application.|String| -|MODE_COUNT|Number of compatibility modes applied to a specific, fixed application.|Integer| -|MODE_NAME|Name of your compatibility mode.|String| -|PROGRAM_APPHELPTYPE|Type of AppHelp message applied to an entry. The value can be 1 or 2, where 1 enables the program to run and 2 blocks the program.|Integer| -|PROGRAM_DISABLED|Specifies if you disabled the compatibility fix for an application. If True, Compatibility Administrator does not apply the fixes to the application.|Boolean| -|PROGRAM_GUID|Unique ID for an application.|String| -|PROGRAM_NAME|Name of the application that you are fixing.|String| - -## Available Operators - -The following table shows the operators that you can use for querying your customized-compatibility databases in the Compatibility Administrator. - -|Symbol|Description|Data type|Precedence| -|--- |--- |--- |--- | -|>|Greater than|Integer or string|1| -|>=|Greater than or equal to|Integer or string|1| -|<|Less than|Integer or string|1| -|<=|Less than or equal to|Integer or string|1| -|<>|Not equal to|Integer or string|1| -|=|Equal to|Integer, string, or Boolean|1| -|HAS|A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.|Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.| -|BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.
The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.
The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.| -|ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.
The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.| -|CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.
The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.
You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.
The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.| -|CorrectFilePaths|This problem occurs when:
The fix modifies the file path names to point to a new location on the hard disk.
The fix corrects the file paths that are used by the uninstallation process of an application.
The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
You can control this fix further by typing the following command at the command prompt:
`DLL_Name;Flag_Type;Hexidecimal_Value`
Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.
The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
You can control this fix further by typing the following command at the command prompt:
`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
`MAJORVERSION.MINORVERSION.LETTER`
For example, 9.0.c.| -|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .| -|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.| -|Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.| -|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
The fix disables the fade animations functionality for unsupported applications.| -|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.| -|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.| -|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.| -|DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.| -|DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.| -|ElevateCreateProcess|The problem is indicated when:
The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.
The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.| -|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.
The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.
The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.
The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.| -|FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.
The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.
This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.
The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.| -|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).
The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.| -|FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.| -|ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.
The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.
The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.| -|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.| -|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.| -|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.| -|HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.
The fix uses zeros to clear out the heap allocation for an application.| -|IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.
The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.
The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.
The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
You can control this fix further by typing the following command at the command prompt:
`Exception1;Exception2`
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.
**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.
Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.| -|IgnoreFontQuality|The problem occurs when application text appears to be distorted.
The fix enables color-keyed fonts to properly work with anti-aliasing.| -|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.| -|IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.| -|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.| -|LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.| -|LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.
The fix intercepts the function call to create the object and replaces the word Global with Local.
The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.
The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.| -|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.
The fix reduces the security privilege levels on a specified set of files and folders.
The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.
The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.| -|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.
The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.| -|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.| -|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.| -|RedirectMP3Codec|This problem occurs when you can't play MP3 files.
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.| -|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.
This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.
You can't apply this fix to an .exe file that includes a manifest and provides a run level.| -|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.
The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
The fix retries the call and requests a more restricted set of rights that include the following items:
The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work
The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.
The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.
The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.
At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`
Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.
The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.| -|SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.| -|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.| -|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.| -|Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.| -|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.
The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
The fix flags the application to exclude it from detection by the GenericInstaller function.
The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`MessageString1 MessageString2`
Where MessageString1 and MessageString2 reflect the message strings that can pass.
The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
You can control this fix further by typing the following command at the command prompt:
`1055 1056 1069`
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).| -|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.
The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.
You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.
For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
-|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.
The fix enables the application to ignore the format error and continue to function properly.| -|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.| -|Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.| -|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.
All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.| -|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.
The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
**Important:** The application must have Administrator privileges for this fix to work.| -|WinSrv08R2RTM|| -|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.
The fix forces the application to follow these steps:
The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
You can control this fix further by typing the following command at the command prompt:
`Component1.dll;Component2.dll`
Where Component1.dll and Component2.dll reflect the components to be skipped.
The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.
The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.| -|XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.| - -## Compatibility Modes - -The following table lists the known compatibility modes. - -|Compatibility Mode Name|Description|Included Compatibility Fixes| -|--- |--- |--- | -|WinSrv03|Emulates the Windows Server 2003 operating system.|
This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using **Programs and Features** in Control Panel.| - |**Export Mitigations as Windows Installer file**|Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.| \ No newline at end of file diff --git a/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg b/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg deleted file mode 100644 index 2ab0b3c13d..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-appcallosthroughiat.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg b/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg deleted file mode 100644 index a4a4f4f616..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-appredirectwithcompatfix.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg deleted file mode 100644 index a6b484d53c..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-compatadminflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg deleted file mode 100644 index 07865c7c75..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-suaflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg b/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg deleted file mode 100644 index 9357e6f3bb..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-suawizardflowchart.jpg and /dev/null differ diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md deleted file mode 100644 index e7265156ef..0000000000 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Install/Uninstall Custom Databases (Windows 10) -description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers. - -By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator. - -> [!IMPORTANT] -> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. - -In addition, you must deploy your databases to your organization's computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md). - - - -## Installing a Custom Database - - -Installing your custom-compatibility database enables you to fix issues with your installed applications. - -**To install a custom database** - -1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers. - -2. On the **File** menu, click **Install**. - - The Compatibility Administrator installs the database, which appears in the **Installed Databases** list. - - The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file. - -## Uninstalling a Custom Database - - -When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database. - -**To uninstall a custom database** - -1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers. - -2. On the **File** menu, click **Uninstall**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md deleted file mode 100644 index 6f9d7dae92..0000000000 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) -description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Managing Application-Compatibility Fixes and Custom Fix Databases - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. - -## In this section - -|Topic|Description| -|--- |--- | -|[Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)|As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.| -|[Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)|After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:| -|[Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)|This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.| - -## Related topics - -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md deleted file mode 100644 index a65742c0f2..0000000000 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) -description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Searching for Fixed Applications in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application. - -The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md). - -## Searching for Previously Applied Compatibility Fixes - -> [!IMPORTANT] -> You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - -**To search for previous fixes** - -1. On the Compatibility Administrator toolbar, click **Search**. - -2. Click **Browse** to locate the directory location to search for .exe files. - -3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**. - -4. Click **Find Now**. - - The query runs, returning your results in the lower pane. - -## Viewing Your Query Results - -Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix. - -## Exporting Your Query Results - -You can export your search results to a text (.txt) file for later review or archival. - -**To export your search results** - -1. In the **Search for Fixes** dialog box, click **Export**. - -2. Browse to the location where you want to store your search result file, and then click **Save**. - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) \ No newline at end of file diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md deleted file mode 100644 index c7cd8de1b8..0000000000 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ /dev/null @@ -1,143 +0,0 @@ ---- -title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) -description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.topic: conceptual -ms.subservice: itpro-deploy -ms.date: 10/28/2022 ---- - -# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. - -For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases. - -> [!IMPORTANT] -> You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. - -## Querying by Using the Program Properties Tab - -You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application. - -**To query by using the Program Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. In the **Look in** drop-down list, select the appropriate database type to search. -3. Type the location of the application you are searching for into the **Search for the Application** field. - - This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator. - -4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file. - - You must designate the executable name that was given when the compatibility fix was added to the database. - -5. Optionally, select the check box for one of the following types of compatibility fix: - - - **Compatibility Modes** - - **Compatibility Fixes** - - **Application Helps** - - > [!IMPORTANT] - > If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear. - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Properties Tab - - -You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode. - -**To query by using the Fix Properties tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Fix Properties** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field. - - >[!NOTE] - >You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters - -5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**. - - >[!IMPORTANT] - >Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear. - -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Fix Description Tab - -You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text. - -**To query by using the Fix Description tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Fix Description** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords. - - >[!IMPORTANT] - >You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria. - -5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list. -6. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Querying by Using the Advanced Tab - -You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria. - -**To query by using the Advanced tab** - -1. On the Compatibility Administrator toolbar, click **Query**. -2. Click the **Advanced** tab. -3. In the **Look in** drop-down list, select the appropriate database type to search. -4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**. - - The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results. - -5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**. - - The **DATABASE\_NAME =** clause appears in the **WHERE** box. - -6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**. - - You must surround your clause criteria text with quotation marks (") for the clause to function properly. - -7. Click **Find Now**. - - The query runs and the results of the query are displayed in the lower pane. - -## Exporting Your Search Results - - -You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes. - -**To export your results** - -1. After you have completed your search by using the Query tool, click **Export**. - - The **Save results to a file** dialog box appears. - -2. Browse to the location where you intend to store the search results file, and then click **Save**. - -## Related topics - -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md deleted file mode 100644 index 53428226ac..0000000000 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Showing Messages Generated by the SUA Tool (Windows 10) -description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Showing Messages Generated by the SUA Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. - -**To show the messages that the SUA tool has generated** - -1. Use the SUA tool to test an application. For more information, see [Using the SUA Tool](using-the-sua-tool.md). - -2. After you finish testing, in the SUA tool, click the **App Info** tab. - -3. On the **View** menu, click the command that corresponds to the messages that you want to see. The following table describes the commands. - -|View menu command|Description| -|--- |--- | -|**Error Messages**|When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.
This command is selected by default.| -|**Warning Messages**|When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.| -|**Information Messages**|When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.| -|**Detailed Information**|When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.| \ No newline at end of file diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md deleted file mode 100644 index 3933f9c2d5..0000000000 --- a/windows/deployment/planning/sua-users-guide.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: SUA User's Guide (Windows 10) -description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# SUA User's Guide - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. - -You can use SUA in either of the following ways: - -- **Standard User Analyzer Wizard.** A wizard that guides you through a step-by-step process to locate and fix issues, without options for more analysis. - -- **Standard User Analyzer Tool.** A full-function tool in which you can perform in-depth analysis and fix issues. - -## In this section - -|Topic|Description| -|--- |--- | -|[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.| -|[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.| \ No newline at end of file diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md deleted file mode 100644 index 6c189c6d79..0000000000 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Tabs on the SUA Tool Interface (Windows 10) -description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Tabs on the SUA Tool Interface - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. - -The following table provides a description of each tab on the user interface for the SUA tool. - -|Tab name|Description| -|--- |--- | -|App Info|Provides the following information for the selected application:
For example, this tab might show an attempt to write to a file that only administrators can typically access.| -|Registry|Provides information about access to the system registry.
For example, this tab might show an attempt to write to a registry key that only administrators can typically access.| -|INI|Provides information about WriteProfile API issues.
For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from **Standard** to **Scientific**, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.| -|Token|Provides information about access-token checking.
For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.| -|Privilege|Provides information about permissions.
For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.| -|Name Space|Provides information about creation of system objects.
For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.| -|Other Objects|Provides information related to applications accessing objects other than files and registry keys.| -|Process|Provides information about process elevation.
For example, this tab might show the use of the CreateProcess API to open an executable (.exe) file that, in turn, requires process elevation that will not function for a standard user.| - diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md deleted file mode 100644 index fcc32044a3..0000000000 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Testing Your Application Mitigation Packages (Windows 10) -description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Testing Your Application Mitigation Packages - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues. - -## Testing Your Application Mitigation Packages - -Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment. - -**To test your mitigation strategies** - -1. Perform the following steps for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your test environment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment. - -2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations. - - 1. Test the mitigation strategy in your pilot deployment. - - 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again. - - At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment. - -## Reporting the Compatibility Mitigation Status to Stakeholders - -After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings. - -- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment. - -- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues. - -- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues. - -## Resolving Outstanding Compatibility Issues - -At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods. - -- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool. - - > [!NOTE] - > For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md). - -- Run the application in a virtual environment. - - Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system. - -- Resolve application compatibility by using non-Microsoft tools. - - If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues. - -- Outsource the application compatibility mitigation. - - If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company. - -## Related topics -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md deleted file mode 100644 index 6fa5f46c8c..0000000000 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: Understanding and Using Compatibility Fixes (Windows 10) -description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.topic: conceptual -ms.subservice: itpro-deploy -ms.date: 10/28/2022 ---- - -# Understanding and Using Compatibility Fixes - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application. - -## How the Compatibility Fix Infrastructure Works - -The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix. - -The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure. - - - -Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure. - - - ->[!NOTE] ->For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API. - -## Design Implications of the Compatibility Fix Infrastructure - -There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure. - -- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes. - -- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code. - -- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues. - - > [!NOTE] - > Some antivirus, firewall, and anti-spyware code runs in kernel mode. - -## Determining When to Use a Compatibility Fix - -The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix. - -### Scenario 1 - -**The compatibility issue exists on an application which is no longer supported by the vendor.** - -As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue. - -### Scenario 2 - -**The compatibility issue exists on an internally created application.** - -While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment. - -### Scenario 3 - -**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.** - -In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released. - -## Determining Which Version of an Application to Fix - -You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application. - -## Support for Compatibility Fixes - -Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself. - -You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes. - -## Related topics - -[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md deleted file mode 100644 index d938b218f9..0000000000 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Using the Compatibility Administrator Tool (Windows 10) -description: This section provides information about using the Compatibility Administrator tool. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Using the Compatibility Administrator Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about using the Compatibility Administrator tool. - -## In this section - -|Topic|Description| -|--- |--- | -|[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)|The Compatibility Administrator tool provides a way to query your custom-compatibility databases.| -|[Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)|With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.| -|[Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)|You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.| -|[Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)|The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.| -|[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)|Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.| -|[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)|The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.| -|[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)|The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.| -|[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)|You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.| -|[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)|The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.| \ No newline at end of file diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md deleted file mode 100644 index d9152b5782..0000000000 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Using the Sdbinst.exe Command-Line Tool (Windows 10) -description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options. -manager: aaroncz -ms.author: frankroj -ms.service: windows-client -author: frankroj -ms.date: 10/28/2022 -ms.topic: conceptual -ms.subservice: itpro-deploy ---- - -# Using the Sdbinst.exe Command-Line Tool - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2016 -- Windows Server 2012 -- Windows Server 2008 R2 - -Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations. - -After you deploy and store the customized databases on each of your local computers, you must register the database files. -Until you register the database files, the operating system is unable to identify the available compatibility fixes when starting an application. - -## Command-Line Options for Deploying Customized Database Files - -Sample output from the command `Sdbinst.exe /?` in an elevated CMD window: - -```console -Microsoft Windows [Version 10.0.14393] -(c) 2016 Microsoft Corporation. All rights reserved. - -C:\Windows\system32>Sdbinst.exe /? -Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name" - - -? - print this help text. - -p - Allow SDBs containing patches. - -q - Quiet mode: prompts are auto-accepted. - -u - Uninstall. - -g {guid} - GUID of file (uninstall only). - -n "name" - Internal name of file (uninstall only). - -C:\Windows\system32>_ -``` - -The command-line options use the following conventions: - -Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] - -The following table describes the available command-line options. - -|Option|Description| -|--- |--- | -|-?|Displays the Help for the Sdbinst.exe tool.
For example,
`sdbinst.exe -?`|
-|-p|Allows SDBs' installation with Patches.
For example,
`sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb`|
-|-q|Does a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
For example,
`sdbinst.exe -q`|
-|-u *filepath*|Does an uninstallation of the specified database.
For example,
`sdbinst.exe -u C:\example.sdb`|
-|-g *GUID*|Specifies the customized database to uninstall by a globally unique identifier (GUID).
For example,
`sdbinst.exe -g 6586cd8f-edc9-4ea8-ad94-afabea7f62e3`|
-|-n *"name"*|Specifies the customized database to uninstall by file name.
For example,
`sdbinst.exe -n "My_Database"`|
-
-## Related articles
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
deleted file mode 100644
index c67a5ba90a..0000000000
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Using the SUA Tool (Windows 10)
-description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.date: 10/28/2022
-ms.topic: conceptual
-ms.subservice: itpro-deploy
----
-
-# Using the SUA Tool
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-
-The SUA Wizard also addresses UAC-related issues. In contrast to the SUA tool, the SUA Wizard guides you through the process step by step, without the in-depth analysis of the SUA tool. For information about the SUA Wizard, see [Using the SUA Wizard](using-the-sua-wizard.md).
-
-In the SUA tool, you can turn virtualization on and off. When you turn virtualization off, the tested application may function more like the way it does in earlier versions of Windows®.
-
-In the SUA tool, you can choose to run the application as **Administrator** or as **Standard User**. Depending on your selection, you may locate different types of UAC-related issues.
-
-## Testing an Application by Using the SUA Tool
-
-Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
-
-The following flowchart shows the process of using the SUA tool.
-
-
-
-**To collect UAC-related issues by using the SUA tool**
-
-1. Close any open instance of the SUA tool or SUA Wizard on your computer.
-
- If there is an existing SUA instance on the computer, the SUA tool opens in log viewer mode instead of normal mode. In log viewer mode, you cannot start applications, which prevents you from collecting UAC issues.
-
-2. Run the Standard User Analyzer.
-
-3. In the **Target Application** box, browse to the executable file for the application that you want to analyze, and then double-click to select it.
-
-4. Clear the **Elevate** check box, and then click **Launch**.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. Exercise the aspects of the application for which you want to gather information about UAC issues.
-
-6. Exit the application.
-
-7. Review the information from the various tabs in the SUA tool. For information about each tab, see [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md).
-
-**To review and apply the recommended mitigations**
-
-1. In the SUA tool, on the **Mitigation** menu, click **Apply Mitigations**.
-
-2. Review the recommended compatibility fixes.
-
-3. Click **Apply**.
-
- The SUA tool generates a custom compatibility-fix database and automatically applies it to the local computer, so that you can test the fixes to see whether they worked.
-
-## Related topics
-[Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md)
-
-[Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md)
-
-[Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
-
-[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
deleted file mode 100644
index 5107afeb74..0000000000
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Using the SUA wizard (Windows 10)
-description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.date: 10/28/2022
-ms.topic: conceptual
-ms.subservice: itpro-deploy
----
-
-# Using the SUA wizard
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.
-
-For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Testing an Application by Using the SUA wizard
-
-Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard.
-
-The following flowchart shows the process of using the SUA wizard.
-
-
-
-**To test an application by using the SUA wizard**
-
-1. On the computer where the SUA wizard is installed, sign in by using a non-administrator account.
-
-2. Run the Standard User Analyzer wizard.
-
-3. Click **Browse for Application**, browse to the folder that contains the application that you want to test, and then double-click the executable file for the application.
-
-4. Click **Launch**.
-
- If you're prompted, elevate your permissions. The SUA wizard may require elevation of permissions to correctly diagnose the application.
-
- If a **Permission denied** dialog box appears, click **OK**. The application starts, despite the warning.
-
-5. In the application, exercise the functionality that you want to test.
-
-6. After you finish testing, exit the application.
-
- The SUA wizard displays a message that asks whether the application ran without any issues.
-
-7. Click **No**.
-
- The SUA wizard shows a list of potential remedies that you might use to fix the application.
-
-8. Select the fixes that you want to apply, and then click **Launch**.
-
- The application appears again, with the fixes applied.
-
-9. Test the application again, and after you finish testing, exit the application.
-
- The SUA wizard displays a message that asks whether the application ran without any issues.
-
-10. If the application ran correctly, click **Yes**.
-
- The SUA wizard closes the issue as resolved on the local computer.
-
- If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md).
-
-## Related articles
-[SUA User's Guide](sua-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
deleted file mode 100644
index cf1a19004e..0000000000
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
-description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.topic: conceptual
-ms.subservice: itpro-deploy
-ms.date: 10/28/2022
----
-
-# Viewing the Events Screen in Compatibility Administrator
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
-
->[!IMPORTANT]
->The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
-
- **To open the Events screen**
-
-- On the **View** menu, click **Events**.
-
-## Handling Multiple Copies of Compatibility Fixes
-
-Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
-
-If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
-
-## Related topics
-[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 3d8e2f154e..83e2ccae0c 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -77,7 +77,7 @@ sections:
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
- Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md).
+ Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index f6e34ac694..5db0a13161 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -35,7 +35,7 @@ The latest version of the Microsoft Deployment Toolkit (MDT) is available for do
For Configuration Manager, Windows 10 version specific support is offered with [various releases](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
-For more information about Microsoft Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+For more information about Microsoft Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](/previous-versions/windows/it-pro/windows-10/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager).
## Management tools
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
deleted file mode 100644
index 8e5e27c8df..0000000000
--- a/windows/deployment/s-mode.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Pro in S mode
-description: Overview of Windows Pro and Enterprise in S mode.
-ms.localizationpriority: high
-ms.service: windows-client
-manager: aaroncz
-author: frankroj
-ms.author: frankroj
-ms.topic: conceptual
-ms.date: 04/26/2023
-ms.subservice: itpro-deploy
----
-
-# Windows Pro in S mode
-
-S mode is a configuration that's available on all Windows Editions, and it's enabled at the time of manufacturing. Windows can be switched out of S mode at any time, as shown in the picture below. However, the switch is a one-time operation, and can only be undone by a wipe and reload of the operating system.
-
-:::image type="content" source="images/smodeconfig.png" alt-text="Table listing the capabilities of S mode across the different Windows editions.":::
-
-## S mode key features
-
-### Microsoft-verified security
-
-With Windows in S mode, you'll find your favorite applications in the Microsoft Store, where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware.
-
-### Performance that lasts
-
-Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. You'll enjoy a smooth, responsive experience, whether you're streaming videos, opening apps, or being productive on the go.
-
-### Choice and flexibility
-
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
-
-:::image type="content" source="images/s-mode-flow-chart.png" alt-text="Switching out of S mode flow chart.":::
-
-## Deployment
-
-Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
-
-Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Microsoft Entra tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
-
-For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
-
-## Keep line of business apps functioning with Desktop Bridge
-
-[Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating the apps, you can distribute them through an MDM solution like Microsoft Intune.
-
-## Repackage Win32 apps into the MSIX format
-
-The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively, and obtain an MSIX package that you can deploy through and MDM solution like Microsoft Intune. The MSIX Packaging Tool is another way to get your apps ready to run on Windows in S mode.
-
-## Related links
-
-- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
-- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
-- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Microsoft Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/)
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 51371de0c7..9b6dcc7052 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,44 +1,45 @@
---
-title: Best practices - user-initiated feature update installation
-description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
+title: Deploy feature updates for user-initiated installations
+description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation during a fixed service window.
ms.service: windows-client
ms.subservice: itpro-updates
-ms.topic: best-practice
+ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
-appliesto:
+appliesto:
- ✅ Windows 10
- ✅ Microsoft Configuration Manager
ms.date: 07/10/2018
---
-# Deploy feature updates for user-initiated installations (during a fixed service window)
+# Deploy feature updates for user-initiated installations
Use the following steps to deploy a feature update for a user-initiated installation.
## Get ready to deploy feature updates
-### Step 1: Enable Peer Cache
-Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
+### Step 1: Enable peer cache
-[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
+Use **peer cache** to help manage deployment of content to clients in remote locations. Peer cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
+
+[Enable Configuration Manager client in full OS to share content](/mem/configmgr/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
-If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
+If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
-```
+```ini
[SetupConfig]
Priority=Normal
```
-You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
+You can use the new [Run Scripts](/mem/configmgr/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
-```
+```powershell
#Parameters
Param(
[string] $PriorityValue = "Normal"
@@ -57,179 +58,190 @@ $iniSetupConfigSlogan
"@
#Build SetupConfig content with settings
-foreach ($k in $iniSetupConfigKeyValuePair.Keys)
+foreach ($k in $iniSetupConfigKeyValuePair.Keys)
{
$val = $iniSetupConfigKeyValuePair[$k]
-
+
$iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val")
}
-#Write content to file
+#Write content to file
New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force
<#
-Disclaimer
-Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is
-provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without
-limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk
-arising out of the use or performance of the sample script and documentation remains with you. In no event shall
-Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable
-for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption,
-loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script
+Disclaimer
+Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is
+provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without
+limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk
+arising out of the use or performance of the sample script and documentation remains with you. In no event shall
+Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable
+for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption,
+loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script
or documentation, even if Microsoft has been advised of the possibility of such damages.
#>
```
->[!NOTE]
-> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
+> [!NOTE]
+> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/mem/configmgr/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates in a user-initiated installation
The following sections provide the steps to manually deploy a feature update.
### Step 1: Specify search criteria for feature updates
-There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy.
-1. In the Configuration Manager console, select **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed.
+There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy.
+
+1. In the Configuration Manager console, select **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**. The synchronized feature updates are displayed.
3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps:
- - In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
+ - In the **search** text box, type a search string that filters for the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update.
- Select **Add Criteria**, select the criteria that you want to use to filter software updates, select **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English.
-4. Save the search for future use.
+4. Save the search for future use.
-### Step 2: Download the content for the feature update(s)
-Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
+### Step 2: Download the content for the feature update
-1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
+Before you deploy the feature updates, you can download the content as a separate step. Do this download so you can verify that the content is available on the distribution points before you deploy the feature updates. Downloading first helps you avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment.
+
+1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**.
2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right-click, and select **Download**.
- The **Download Software Updates Wizard** opens.
-3. On the **Deployment Package** page, configure the following settings:
- **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
- - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters.
- - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
- - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
+ The **Download Software Updates Wizard** opens.
+3. On the **Deployment Package** page, configure the following settings:
+ **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings:
+ - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It's limited to 50 characters.
+ - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters.
+ - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or select **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page.
> [!IMPORTANT]
- > - The deployment package source location that you specify cannot be used by another software deployment package.
- > - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
- > - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
+ > - The deployment package source location that you specify cannot be used by another software deployment package.
+ > - The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files.
+ > - You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
- Select **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
+ Select **Next**.
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then select **Next**. For more information about distribution points, see [Distribution point configurations](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
- >[!NOTE]
- > The Distribution Points page is available only when you create a new software update deployment package.
-5. On the **Distribution Settings** page, specify the following settings:
+ > [!NOTE]
+ > The Distribution Points page is available only when you create a new software update deployment package.
+5. On the **Distribution Settings** page, specify the following settings:
- - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority.
- - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
- - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
+ - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there's no backlog, the package processes immediately regardless of its priority. By default, packages are sent using Medium priority.
+ - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content isn't available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/mem/configmgr/core/plan-design/hierarchy/content-source-location-scenarios).
+ - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
+ - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default.
-
- For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
- Select **Next**.
-6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
+ - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This setting is the default.
+
+ For more information about prestaging content to distribution points, see [Use Prestaged content](/mem/configmgr/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
+ Select **Next**.
+6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
- **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting.
- - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access.
-
- >[!NOTE]
+ - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard doesn't have Internet access.
+
+ > [!NOTE]
> When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard.
- Select **Next**.
-7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
-8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates.
-9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**.
+ Select **Next**.
+7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then select **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page.
+8. On the **Summary** page, verify the settings that you selected in the wizard, and then select **Next** to download the software updates.
+9. On the **Completion** page, verify that the software updates were successfully downloaded, and then select **Close**.
#### To monitor content status
-1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console.
-2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**.
-3. Select the feature update package that you previously identified to download the feature updates.
+
+1. To monitor the content status for the feature updates, select **Monitoring** in the Configuration Manager console.
+2. In the Monitoring workspace, expand **Distribution Status**, and then select **Content Status**.
+3. Select the feature update package that you previously identified to download the feature updates.
4. On the **Home** tab, in the Content group, select **View Status**.
-### Step 3: Deploy the feature update(s)
-After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
+### Step 3: Deploy the feature update
-1. In the Configuration Manager console, select **Software Library**.
-2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**.
+After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s).
+
+1. In the Configuration Manager console, select **Software Library**.
+2. In the Software Library workspace, expand **Windows 10 Servicing**, and select **All Windows 10 Updates**.
3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right select, and select **Deploy**.
- The **Deploy Software Updates Wizard** opens.
-4. On the General page, configure the following settings:
- - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+- [User State Migration Tool (USMT) overview](../usmt/usmt-overview.md).
+- [Windows upgrade paths](windows-upgrade-paths.md).
+- [Windows edition upgrade](windows-edition-upgrades.md).
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index fda2e72b83..9e1d97ccac 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -8,7 +8,7 @@ ms.service: windows-client
author: frankroj
ms.topic: conceptual
ms.subservice: itpro-deploy
-ms.date: 01/09/2024
+ms.date: 08/30/2024
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -65,17 +65,17 @@ This article outlines the general process to follow to migrate files and setting
>
> USMT fails if it can't migrate a file or setting unless the `/c` option is specified. When the `/c` option is specified, USMT ignores the errors, and logs an error every time that it encounters a file that is being used that USMT didn't migrate. The `
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
+|
|Volume licensing keys can only be obtained with a signed contract from Microsoft. For more information, see the [Microsoft Volume Licensing portal](https://admin.microsoft.com/adminportal/home#/subscriptions/vlnew). |
|Retail product keys |Obtained at time of product purchase. |
## System requirements
@@ -41,4 +41,6 @@ The following table lists the system requirements for the VAMT host computer.
## Related content
-- [Install and configure VAMT](install-configure-vamt.md).
+[Install VAMT](install-vamt.md)
+
+[Configure client computers](configure-client-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
deleted file mode 100644
index 375ebad9fa..0000000000
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: VAMT Step-by-Step Scenarios
-description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
-ms.reviewer: nganguly
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
-ms.date: 03/29/2024
-ms.topic: conceptual
-ms.subservice: itpro-fundamentals
----
-
-# VAMT step-by-step scenarios
-
-This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios. To get started, some of the most common scenarios are described here.
-
-## In this section
-
-|Article |Description |
-|-------|------------|
-|[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network. Additionally, it also describes how to instruct these products to contact Microsoft over the Internet for activation. |
-|[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
-|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of currently supported versions of Windows and Microsoft Office use KMS for activation. |
-
-## Related content
-
-- [Introduction to VAMT](introduction-vamt.md).
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 396e2a74e2..c087146a5a 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,12 +1,12 @@
---
title: VAMT technical reference
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
+ms.author: kaushika
+author: kaushika-msft
+manager: cshepard
ms.reviewer: nganguly
-manager: aaroncz
-ms.author: frankroj
ms.service: windows-client
-ms.subservice: itpro-fundamentals
-author: frankroj
+ms.subservice: activation
ms.date: 03/29/2024
ms.topic: overview
---
@@ -21,16 +21,6 @@ The Volume Activation Management Tool (VAMT) allows automation and central manag
VAMT is only available in an EN-US (x86) package.
-## In this section
+## Next steps
-|Article |Description |
-|------|------------|
-|[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. |
-|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. |
-|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers in the network. |
-|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. |
-|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. |
-|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. |
-|[Manage VAMT data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
-|[VAMT step-by-step scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
-|[VAMT known issues](vamt-known-issues.md) |Lists known issues in VAMT. |
+[Introduction to VAMT](introduction-vamt.md)
diff --git a/windows/deployment/volume-activation/volume-activation-windows.md b/windows/deployment/volume-activation/volume-activation-windows.md
index 701785bf9e..311c6869d2 100644
--- a/windows/deployment/volume-activation/volume-activation-windows.md
+++ b/windows/deployment/volume-activation/volume-activation-windows.md
@@ -1,15 +1,15 @@
---
-title: Volume Activation for Windows
+title: Volume activation for Windows
description: Learn how to use volume activation to deploy & activate Windows.
+ms.author: kaushika
+author: kaushika-msft
+manager: cshepard
ms.reviewer: nganguly
-manager: aaroncz
-ms.author: frankroj
-ms.service: windows-client
-author: frankroj
ms.localizationpriority: medium
ms.date: 03/29/2024
-ms.topic: conceptual
-ms.subservice: itpro-fundamentals
+ms.topic: overview
+ms.service: windows-client
+ms.subservice: activation
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -18,7 +18,7 @@ appliesto:
- ✅ Windows Server 2016
---
-# Volume Activation for Windows
+# Volume activation for Windows
> [!TIP]
>
@@ -28,8 +28,8 @@ appliesto:
>
> Looking for information on retail activation?
>
-> - [Activate Windows](https://support.microsoft.com/help/12440/).
-> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644).
+> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227).
+> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0).
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows.
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 0b09a07b84..182f55c874 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -7,7 +7,7 @@ author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: conceptual
-ms.date: 04/25/2024
+ms.date: 07/19/2024
ms.subservice: itpro-deploy
appliesto:
- ✅ Windows 11
@@ -21,48 +21,56 @@ appliesto:
The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode is no longer supported.
-When you PXE-boot from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
+When PXE booting from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
> Windows Setup
>
-> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what will continue to be supported.
+> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what is still supported.
## Deployment scenarios affected
The following table provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
-|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11|
-|--- |--- |--- |--- |--- |--- |
-|**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|
-|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
-|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
-|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.|
-|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
-
-## Reason for the change
-
-Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+| Windows Version being deployed | Boot.wim from Windows 10 | Boot.wim from Windows Server 2016 | Boot.wim from Windows Server 2019 | Boot.wim from Windows Server 2022 | Boot.wim from Windows 11 |
+| --- | --- | --- | --- | --- | --- |
+| **Windows 11** | Not supported, blocked. | Not supported, blocked. | Not supported, blocked. |Not supported, blocked. | Not supported, blocked. |
+| **Windows 10** | Supported, using a boot image from matching or newer version. | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions).| Not supported. | Not supported. |
+| **Windows Server 2025** | Not supported. | Not supported. | Not supported. | Not supported. | Not supported. |
+| **Windows Server 2022** | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Deprecated, with a warning message. | Not supported. |
+| **Windows Server 2019** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). | Supported. | Supported. | Not supported. | Not supported. |
+| **Windows Server 2016** | Supported, using a boot image from a [currently supported version of Windows 10](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions). |Supported. | Not supported. | Not supported. | Not supported. |
> [!NOTE]
>
-> [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) only supports deployment of Windows 10. It doesn't support deployment of Windows 11. For more information, see [Supported platforms](/mem/configmgr/mdt/release-notes#supported-platforms).
+> The following error message might be displayed when attempting to use **boot.wim** on WDS running on Windows Server 2025:
+>
+> `A media driver your computer needs is missing. This could be a DVD, USB or Hard disk driver. If you have a CD, DVD, or USB flash drive with the driver on it, please insert it now.`
+>
+> An error message is expected since using **boot.wim** on WDS running on Windows Server 2025 isn't supported.
+
+## Reason for the change
+
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/osd/understand/introduction-to-operating-system-deployment), provide a better, more flexible, and feature-rich experience for deploying Windows images.
## Not affected
-This change doesn’t affect WDS PXE boot. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
+This change doesn't affect WDS PXE boot. WDS can still be used to PXE boot devices with custom boot images, but **boot.wim** can't be used as the boot image and run Windows Setup in WDS mode.
-You can still run Windows Setup from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager.
+Windows Setup can still run from a network share. This change doesn't change Workflows that use a custom boot.wim, such as Microsoft Deployment Toolkit (MDT) or Microsoft Configuration Manager.
## Summary
-- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. You can't perform an end to end deployment of Windows 11 using only WDS.
+- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. An end to end deployment of Windows 11 using only WDS can't be performed.
+
- This change doesn't affect Windows 10, Windows Server 2019, and previous operating system versions.
+
- Windows Server 2022 workflows that rely on **boot.wim** from installation media show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
+
- Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
-If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
+If WDS is being used with **boot.wim** from installation media for end-to-end operating system deployment, and the OS version isn't supported, deprecated, or blocked, Microsoft recommends using deployment tools such as Microsoft Configuration Manager, or a non-Microsoft solution that uses a custom boot.wim image.
-## Also see
+## Related content
-- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
-- [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing).
+- [Customize boot images with Configuration Manager](/mem/configmgr/osd/get-started/customize-boot-images).
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
deleted file mode 100644
index aecea5c3dc..0000000000
--- a/windows/deployment/windows-10-deployment-posters.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for Microsoft Configuration Manager and Windows Autopilot.
-manager: aaroncz
-author: frankroj
-ms.author: frankroj
-ms.service: windows-client
-ms.subservice: itpro-deploy
-ms.localizationpriority: medium
-ms.topic: reference
-ms.date: 11/23/2022
----
-
-# Windows 10 deployment process posters
-
-*Applies to:*
-
-- Windows 10
-
-The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager.
-
-## Deploy Windows 10 with Autopilot
-
-The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version.
-
-[](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf)
-
-## Deploy Windows 10 with Microsoft Configuration Manager
-
-The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version.
-
-[](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf)
-
-## See also
-
-[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot)
-
-[Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
deleted file mode 100644
index c481efb0a5..0000000000
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ /dev/null
@@ -1,1181 +0,0 @@
----
-title: Steps to deploy Windows 10 with Configuration Manager
-description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager.
-ms.service: windows-client
-ms.subservice: itpro-deploy
-ms.localizationpriority: medium
-manager: aaroncz
-ms.author: frankroj
-author: frankroj
-ms.topic: tutorial
-ms.date: 11/23/2022
----
-
-# Deploy Windows 10 in a test lab using Configuration Manager
-
-*Applies to:*
-
-- Windows 10
-
-> [!IMPORTANT]
-> This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
->
-> - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
-> - [Deploy Windows 10 in a test lab using the Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
->
-> Complete all steps in these guides before you start the procedures in this guide. If you want to skip the Windows 10 deployment procedures in the MDT guide, and move directly to this guide, at least install MDT and the Windows ADK before starting this guide. All steps in the first guide are required before attempting the procedures in this guide.
-
-The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
-
-- **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
-- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
-- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your network for testing purposes.
-
-This guide uses the Hyper-V server role to perform procedures. If you don't complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
-
-Multiple features and services are installed on SRV1 in this guide. This configuration isn't a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, select **Settings**, select **Memory**, and modify the value next to **Maximum RAM**.
-
-## In this guide
-
-This guide provides end-to-end instructions to install and configure Microsoft Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
-
-The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
-
-|Procedure|Description|Time|
-|--- |--- |--- |
-|[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes|
-|[Install Microsoft Configuration Manager](#install-microsoft-configuration-manager)|Download Microsoft Configuration Manager, configure prerequisites, and install the package.|45 minutes|
-|[Download MDOP and install DaRT](#download-mdop-and-install-dart)|Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.|15 minutes|
-|[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
-|[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
-|[Create a Windows 10 reference image](#create-a-windows-10-reference-image)|This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.|0-60 minutes|
-|[Add a Windows 10 OS image](#add-a-windows-10-os-image)|Add a Windows 10 OS image and distribute it.|10 minutes|
-|[Create a task sequence](#create-a-task-sequence)|Create a Configuration Manager task sequence with MDT integration using the MDT wizard|15 minutes|
-|[Finalize the OS configuration](#finalize-the-os-configuration)|Enable monitoring, configure rules, and distribute content.|30 minutes|
-|[Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)|Deploy Windows 10 using Configuration Manager deployment packages and task sequences.|60 minutes|
-|[Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)|Replace a client computer with Windows 10 using Configuration Manager.|90 minutes|
-|[Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)|Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT|90 minutes|
-
-## Install prerequisites
-
-1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
- ```
-
- > [!NOTE]
- > If the request to add features fails, retry the installation by typing the command again.
-
-2. Download [SQL Server](https://www.microsoft.com/evalcenter/evaluate-sql-server-2022) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-
- > [!NOTE]
- > The rest of this article describes the installation of SQL Server 2014. If you download a different version of SQL Server, you may need to modify the installation steps.
-
-1. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
- ```
-
- This command mounts the .ISO file to drive D on SRV1.
-
-4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
-
- ```cmd
- D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
- ```
-
- Installation will take several minutes. When installation is complete, the following output will be displayed:
-
- ```console
- Microsoft (R) SQL Server 2014 12.00.5000.00
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- Microsoft (R) .NET Framework CasPol 2.0.50727.7905
- Copyright (c) Microsoft Corporation. All rights reserved.
-
- Success
- One or more affected files have operations pending.
- You should restart your computer to complete this process.
- ```
-
-5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
- New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound -Protocol TCP -LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound -Protocol UDP -LocalPort 1434 -Action allow
- New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound -Protocol TCP -LocalPort 4022 -Action allow
- New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound -Protocol TCP -LocalPort 135 -Action allow
- ```
-
-6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
-
-## Install Microsoft Configuration Manager
-
-1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
- Stop-Process -Name Explorer
- ```
-
-2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
-
-3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
-
-4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
-
- ```powershell
- Get-Service Winmgmt
-
- Status Name DisplayName
- ------ ---- -----------
- Running Winmgmt Windows Management Instrumentation
-
- Test-NetConnection -ComputerName 192.168.0.2 -Port 135 -InformationLevel Detailed
-
- ComputerName : 192.168.0.2
- RemoteAddress : 192.168.0.2
- RemotePort : 135
- AllNameResolutionResults :
- MatchingIPsecRules :
- NetworkIsolationContext : Internet
- InterfaceAlias : Ethernet
- SourceAddress : 192.168.0.2
- NetRoute (NextHop) : 0.0.0.0
- PingSucceeded : True
- PingReplyDetails (RTT) : 0 ms
- TcpTestSucceeded : True
- ```
-
- You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
-
- If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [winmgmt](/windows/win32/wmisdk/winmgmt) for troubleshooting information.
-
-5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
-
- ```cmd
- C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
- ```
-
-6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1:
-
- ```cmd
- adsiedit.msc
- ```
-
-7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
-
-8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
-
-9. Select **container** and then select **Next**.
-
-10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**.
-
-11. Right-click **CN=system Management** and then select **Properties**.
-
-12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
-
-13. Under **Enter the object names to select**, enter **SRV1** and select **OK**.
-
-14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-
-15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
-
-16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
-
-17. Close the ADSI Edit console and switch back to SRV1.
-
-18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```cmd
- C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
- ```
-
-19. Provide the following information in the Configuration Manager Setup Wizard:
-
- - **Before You Begin**: Read the text and select *Next*.
- - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- - Select **Yes** in response to the popup window.
- - **Product Key**: Choose **Install the evaluation edition of this Product**.
- - **Microsoft Software License Terms**: Read the terms and then select the **I accept these license terms** checkbox.
- - **Prerequisite Licenses**: Review license terms and select all three checkboxes on the page.
- - **Prerequisite Downloads**: Choose **Download required files** and enter **c:\windows\temp** next to **Path**.
- - **Site and Installation Settings**: Site code: **PS1**, Site name: **Contoso**.
- - use default settings for all other options
- - **Usage Data**: Read the text and select **Next**.
- - **Service Connection Point Setup**: Accept the default settings (SRV1.contoso.com is automatically added under Select a server to use).
- - **Settings Summary**: Review settings and select **Next**.
- - **Prerequisite Check**: No failures should be listed. Ignore any warnings and select **Begin Install**.
-
- > [!NOTE]
- > There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment.
-
- Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
-
-20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
-
- ```powershell
- Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
- Stop-Process -Name Explorer
- ```
-
-## Download MDOP and install DaRT
-
-> [!IMPORTANT]
-> This step requires a Visual Studio subscription or volume license agreement. For more information, see [MDOP information experience](/microsoft-desktop-optimization-pack/).
-
-1. Download the Microsoft Desktop Optimization Pack 2015 to the Hyper-V host from Visual Studio Online or from the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331) site. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
-
-2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
-
- ```powershell
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
- ```
-
-3. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```cmd
- D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi
- ```
-
-4. Install DaRT 10 using default settings.
-
-5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
- Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx86.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86"
- ```
-
-## Prepare for Zero Touch installation
-
-This section contains several procedures to support Zero Touch installation with Microsoft Configuration Manager.
-
-### Create a folder structure
-
-1. Enter the following commands at a Windows PowerShell prompt on SRV1:
-
- ```powershell
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
- New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
- New-Item -ItemType Directory -Path "C:\Logs"
- New-SmbShare -Name Sources$ -Path C:\Sources -ChangeAccess EVERYONE
- New-SmbShare -Name Logs$ -Path C:\Logs -ChangeAccess EVERYONE
- ```
-
-### Enable MDT ConfigMgr integration
-
-1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**.
-
-2. Enter `PS1` as the **Site code**, and then select **Next**.
-
-3. Verify **The process completed successfully** is displayed, and then select **Finish**.
-
-### Configure client settings
-
-1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
-
-2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
-
-3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
-
-4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
-
-5. In the display pane, double-click **Default Client Settings**.
-
-6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**.
-
-### Configure the network access account
-
-1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
-
-2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
-
-3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
-
-4. Select the yellow starburst and then select **New Account**.
-
-5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**.
-
-6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice.
-
-### Configure a boundary group
-
-1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
-
-2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
-
-3. Choose **Default-First-Site-Name** and then select **OK** twice.
-
-4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
-
-5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
-
-6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
-
-7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
-
-### Add the state migration point role
-
-1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
-
-2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-
-3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**.
-
-4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
-
-5. Select **Next** twice and then select **Close**.
-
-### Enable PXE on the distribution point
-
-> [!IMPORTANT]
-> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
-```cmd
-WDSUTIL.exe /Set-Server /AnswerClients:None
-```
-
-1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- (Get-NetAdapter "Ethernet").MacAddress
- ```
-
- > [!NOTE]
- > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
-
-2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
-
-3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
-
-4. On the PXE tab, select the following settings:
-
- - **Enable PXE support for clients**. Select **Yes** in the popup that appears.
- - **Allow this distribution point to respond to incoming PXE requests**
- - **Enable unknown computer support**. Select **OK** in the popup that appears.
- - **Require a password when computers use PXE**
- - **Password** and **Confirm password**: pass@word1
- - **Respond to PXE requests on specific network interfaces**: Select the yellow starburst and then enter the MAC address determined in the first step of this procedure.
-
- See the following example:
- 
-
-5. Select **OK**.
-
-6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
-
- ```cmd
- dir /b C:\RemoteInstall\SMSBoot\x64
-
- abortpxe.com
- bootmgfw.efi
- bootmgr.exe
- pxeboot.com
- pxeboot.n12
- wdsmgfw.efi
- wdsnbp.com
- ```
-
- > [!NOTE]
- > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
- >
- > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
- >
- > ```cmd
- > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe"
- > ```
- >
- > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
- >
- > `Running: WDSUTIL.exe /Initialize-Server /REMINST:"C:\RemoteInstall"`
- >
- > Once the files are present in the REMINST share location, you can close the CMTrace tool.
-
-### Create a branding image file
-
-1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
-
-2. Enter the following command at an elevated Windows PowerShell prompt:
-
- ```powershell
- Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
- ```
-
- > [!NOTE]
- > You can open C:\Sources\OSD\Branding\contoso.bmp in Microsoft Paint to customize this image.
-
-### Create a boot image for Configuration Manager
-
-1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
-
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
-
- - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
-
-3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**.
-
-4. On the Options page, under **Platform** choose **x64**, and select **Next**.
-
-5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
-
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
-
-7. Select **Finish**.
-
-8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
-
-9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
-
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
- ```
-
- In the trace tool, select **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
-
- ```console
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
- ```
-
-11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
-
-12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
-
-13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
-
-14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
-
- ```cmd
- dir /s /b C:\RemoteInstall\SMSImages
-
- C:\RemoteInstall\SMSImages\PS100004
- C:\RemoteInstall\SMSImages\PS100005
- C:\RemoteInstall\SMSImages\PS100006
- C:\RemoteInstall\SMSImages\PS100004\boot.PS100004.wim
- C:\RemoteInstall\SMSImages\PS100005\boot.PS100005.wim
- C:\RemoteInstall\SMSImages\PS100006\WinPE.PS100006.wim
- ```
-
- > [!NOTE]
- > The first two images (`*.wim` files) are default boot images. The third is the new boot image with DaRT.
-
-### Create a Windows 10 reference image
-
-If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
-
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1. To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
-
- ```powershell
- Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
- ```
-
-2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
-
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**.
-
-4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-
-5. Use the following settings for the New Deployment Share Wizard:
- - Deployment share path: **C:\MDTBuildLab**
- - Share name: **MDTBuildLab$**
- - Deployment share description: **MDT build lab**
- - Options: Select **Next** to accept the default
- - Summary: Select **Next**
- - Progress: settings will be applied
- - Confirmation: Select **Finish**
-
-6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
-
-7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
-
-8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
-
-9. Use the following settings for the Import Operating System Wizard:
- - OS Type: **Full set of source files**
- - Source: **D:\\**
- - Destination: **W10Ent_x64**
- - Summary: Select **Next**
- - Confirmation: Select **Finish**
-
-10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
-
-11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-
- - Task sequence ID: **REFW10X64-001**
- - Task sequence name: **Windows 10 Enterprise x64 Default Image**
- - Task sequence comments: **Reference Build**
- - Template: **Standard Client Task Sequence**
- - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
- - Specify Product Key: **Do not specify a product key at this time**
- - Full Name: **Contoso**
- - Organization: **Contoso**
- - Internet Explorer home page: **`http://www.contoso.com`**
- - Admin Password: **Do not specify an Administrator password at this time**
- - Summary: Select **Next**
- - Confirmation: Select **Finish**
-
-12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-
-13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
-
-14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
-
-15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
-
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
-
-17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-
- > [!NOTE]
- > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
-
-18. Select **OK** to complete editing the task sequence.
-
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
-
-20. Replace the default rules with the following text:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- UserDataLocation=NONE
- DoCapture=YES
- OSInstall=Y
- AdminPassword=pass@word1
- TimeZoneName=Pacific Standard TimeZoneName
- OSDComputername=#Left("PC-%SerialNumber%",7)#
- JoinWorkgroup=WORKGROUP
- HideShell=YES
- FinishAction=SHUTDOWN
- DoNotCreateExtraPartition=YES
- ApplyGPOPack=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=YES
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=YES
- SkipBitLocker=YES
- SkipSummary=YES
- SkipRoles=YES
- SkipCapture=NO
- SkipFinalSummary=NO
- ```
-
-21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
-
- ```ini
- [Settings]
- Priority=Default
-
- [Default]
- DeployRoot=\\SRV1\MDTBuildLab$
- UserDomain=CONTOSO
- UserID=MDT_BA
- UserPassword=pass@word1
- SkipBDDWelcome=YES
- ```
-
-22. Select **OK** to complete the configuration of the deployment share.
-
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
-
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**. The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
-
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
-
- > [!TIP]
- > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
-
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
-
- ```powershell
- New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
- Set-VMMemory -VMName REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
- Set-VMDvdDrive -VMName REFW10X64-001 -Path c:\VHD\LiteTouchPE_x86.iso
- Start-VM REFW10X64-001
- vmconnect localhost REFW10X64-001
- ```
-
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
-
-28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
-
- Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
-
- - Install the Windows 10 Enterprise OS.
- - Install added applications, roles, and features.
- - Update the OS using Windows Update (or WSUS if optionally specified).
- - Stage Windows PE on the local disk.
- - Run System Preparation (Sysprep) and reboot into Windows PE.
- - Capture the installation to a Windows Imaging (WIM) file.
- - Turn off the virtual machine.
-
- This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**.
-
-### Add a Windows 10 OS image
-
-1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
- cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
- ```
-
-2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
-
-3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
-
-4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
-
-5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
-
-6. In the Distribute Content Wizard, select **Next**, select **Add**, select **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
-
-7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar. (Make sure there's no space at the end of the location or you'll get an error.) Select **Windows 10 Enterprise x64** and monitor the status of content distribution until it's successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes.
-
- > [!NOTE]
- > If content distribution isn't successful, verify that sufficient disk space is available.
-
-### Create a task sequence
-
-> [!TIP]
-> Complete this section slowly. There are a large number of similar settings from which to choose.
-
-1. In the Configuration Manager console, in the **Software Library** workspace expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
-
-2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
-
-3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
-
-4. On the Details page, enter the following settings:
-
- - Join a domain: **contoso.com**
- - Account: Select **Set**
- - User name: **contoso\CM_JD**
- - Password: **pass@word1**
- - Confirm password: **pass@word1**
- - Select **OK**
- - Windows Settings
- - User name: **Contoso**
- - Organization name: **Contoso**
- - Product key: \
Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.|
-|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
16-GB RAM to test Windows 10 deployment with Microsoft Configuration Manager.|Any|
-|**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.|
-|**CPU**|SLAT-Capable CPU|Any|
-|**Network**|Internet connection|Any|
-
-## Lab setup
-
-The lab architecture is summarized in the following diagram:
-
-
-
-- Computer 1 is configured to host four VMs on a private, PoC network.
-
- - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
-
- - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
-
-> [!NOTE]
-> If you have an existing Hyper-V host, you can use this host and skip the Hyper-V installation section in this guide.
-
-The two Windows Server VMs can be combined into a single VM to conserve RAM and disk space if necessary. However, instructions in this guide assume two server systems are used. Using two servers enables Active Directory Domain Services and DHCP to be installed on a server that isn't directly connected to the network. This action mitigates the risk of clients on the network receiving DHCP leases from the PoC network. In other words, a "rogue" DHCP server. It also limits NETBIOS service broadcasts.
-
-## Configure the PoC environment
-
-> [!TIP]
-> Before you begin, ensure that Windows PowerShell is pinned to the taskbar for easy access. If the Hyper-V host is running Windows Server then Windows PowerShell is automatically pinned to the taskbar. To pin Windows PowerShell to the taskbar on Windows 8.1 or Windows 10: Click **Start**, type **power**, right click **Windows PowerShell**, and then click **Pin to taskbar**. After Windows PowerShell is pinned to the taskbar, you can open an elevated Windows PowerShell prompt by right-clicking the icon on the taskbar and then clicking **Run as Administrator**.
-
-### Procedures in this section
-
-- [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)
-- [Download VHD and ISO files](#download-vhd-and-iso-files)
-- [Convert PC to VM](#convert-pc-to-vm)
-- [Resize VHD](#resize-vhd)
-- [Configure Hyper-V](#configure-hyper-v)
-- [Configure VMs](#configure-vms)
-
-### Verify support and install Hyper-V
-
-1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
- ```cmd
- C:\>systeminfo.exe
-
- ...
- Hyper-V Requirements: VM Monitor Mode Extensions: Yes
- Virtualization Enabled In Firmware: Yes
- Second Level Address Translation: Yes
- Data Execution Prevention Available: Yes
- ```
-
- In this example, the computer supports SLAT and Hyper-V.
-
- If one or more requirements are evaluated as **No**, then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
- You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
- ```cmd
- C:\>coreinfo.exe -v
-
- Coreinfo v3.31 - Dump information on system CPU and memory topology
- Copyright (C) 2008-2014 Mark Russinovich
- Sysinternals - www.sysinternals.com
-
- Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
- Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
- Microcode signature: 0000001B
- HYPERVISOR - Hypervisor is present
- VMX * Supports Intel hardware-assisted virtualization
- EPT * Supports Intel extended page tables (SLAT)
- ```
-
- > [!NOTE]
- > A 64-bit operating system is required to run Hyper-V.
-
-2. The Hyper-V feature isn't installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
-
- ```powershell
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
- ```
-
- This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an extra command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
-
- ```powershell
- Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
- ```
-
- When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
-
- Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
- 
-
- 
-
- If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
-
-### Download VHD and ISO files
-
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab.
-
-1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for [Windows Server](https://www.microsoft.com/evalcenter/evaluate-windows-server-2022) to the **C:\VHD** directory.
-
- > [!NOTE]
- > The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations.
-
- > [!IMPORTANT]
- > This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
-
-2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. Do this action to make the filename simple to recognize and type.
-
-3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-
-4. Download the [Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) ISO file to the **C:\VHD** directory on your Hyper-V host.
-
- You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version.
-
- > [!NOTE]
- > The evaluation version of Windows 10 doesn't support in-place upgrade**.
-
-5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. This step is so that the filename is simple to type and recognize.
-
- After completing these steps, you'll have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**.
-
- The following example displays the procedures described in this section, both before and after downloading files:
-
- ```cmd
- C:>mkdir VHD
- C:>cd VHD
- C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
- C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
- 1 file(s) copied.
- C:\VHD ren *.iso w10-enterprise.iso
- C:\VHD>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- ```
-
-### Convert PC to VM
-
-> [!IMPORTANT]
-> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-
-
-
-If you have a PC available to convert to VM (computer 2):
-
-1. Sign in on computer 2 using an account with Administrator privileges.
-
- > [!IMPORTANT]
- > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
-
-2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
-
-3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
-
-#### Determine the VM generation and partition type
-
-When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
-
-||Architecture|Operating system|Partition style|
-|--- |--- |--- |--- |
-|**Generation 1**|32-bit or 64-bit|Windows 7 or later|MBR|
-|**Generation 2**|64-bit|Windows 8 or later|MBR or GPT|
-
-If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
-
-- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
-
-- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
-
- ```powershell
- Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
- ```
-
-If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
-
-```powershell
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName Caption Type
----------- ------- ----
-USER-PC1 Disk #0, Partition #0 GPT: System
-USER-PC1 Disk #0, Partition #1 GPT: Basic Data
-```
-
-On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
-
-```powershell
-Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
-
-SystemName Caption Type
----------- ------- ----
-PC-X1 Disk #0, Partition #0 GPT: Unknown
-PC-X1 Disk #0, Partition #1 GPT: System
-PC-X1 Disk #0, Partition #2 GPT: Basic Data
-PC-X1 Disk #0, Partition #3 GPT: Basic Data
-PC-X1 Disk #0, Partition #4 GPT: Basic Data
-
-PS C:> Get-Disk
-
-Number Friendly Name OperationalStatus Total Size Partition Style
------- ------------- ----------------- ---------- ---------------
-0 INTEL SSDSCMMW240A3L Online 223.57 GB GPT
-```
-
-##### Choosing a VM generation
-
-The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-
-###### Windows 7 MBR
-
-|Architecture|VM generation|Procedure|
-|--- |--- |--- |
-|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-|64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-
-###### Windows 7 GPT
-
-|Architecture|VM generation|Procedure|
-|--- |--- |--- |
-|32|N/A|N/A|
-|64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
-
-###### Windows 8 or later MBR
-
-|Architecture|VM generation|Procedure|
-|--- |--- |--- |
-|32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-|64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
-
-###### Windows 8 or later GPT
-
-|Architecture|VM generation|Procedure|
-|--- |--- |--- |
-|32|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
-|64|2|[Prepare a generation 2 VM](#prepare-a-generation-2-vm)|
-
-> [!NOTE]
->
-> - If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
->
-> - If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the `mountvol` command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
->
-> - If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
-
-#### Prepare a generation 1 VM
-
-1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- > [!TIP]
- > You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-
-3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
-
- > [!IMPORTANT]
- > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation).
-
-4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
-
- 
-
- Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better, however, when the VHD is saved on a disk different than the disks being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
- ```cmd
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- w7.VHDX
- ```
-
-#### Prepare a generation 2 VM
-
-1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- > [!TIP]
- > You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, open an elevated command prompt and type the following command:
-
- ```cmd
- mountvol.exe s: /s
- ```
-
- This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
-
-3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-
-4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
-
- > [!IMPORTANT]
- > You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
-
-5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and select **Create**. See the following example:
-
- 
-
- Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
-
-6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
- ```cmd
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- PC1.VHDX
- ```
-
-#### Prepare a generation 1 VM from a GPT disk
-
-1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
-
- You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
-
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-
-3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
-
- > [!NOTE]
- > The system volume isn't copied in this scenario, it will be added later.
-
-4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and select **Create**. See the following example:
-
- 
-
- Disk2vhd can save VHDs to local hard drives, even if they're the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those disks being converted, such as a flash drive.
-
-5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
- ```cmd
- C:\vhd>dir /B
- 2012R2-poc-1.vhd
- 2012R2-poc-2.vhd
- w10-enterprise.iso
- w7.VHD
- ```
-
- In its current state, the w7.VHD file isn't bootable. The VHD will be used to create a bootable VM later in the [Configure Hyper-V](#configure-hyper-v) section.
-
-### Enhanced session mode
-
-> [!IMPORTANT]
-> Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
-
-To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-
-```powershell
-Set-VMhost -EnableEnhancedSessionMode $TRUE
-```
-
-If enhanced session mode wasn't previously enabled, close any existing virtual machine connections and reopen them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
-
-### Resize VHD
-
-The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to 100 GB to support installing imaging tools and storing OS images.
-
-1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
- ```powershell
- Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
- $x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
- Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
- ```
-
-2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
- ```powershell
- Get-Volume -DriveLetter $x
- Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
- ```
-
-### Configure Hyper-V
-
-1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
-
- If the Hyper-V host already has an external virtual switch bound to a physical NIC, don't attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
-
- **A**: Remove the existing external virtual switch, then add the poc-external switch
-
- **B**: Rename the existing external switch to "poc-external"
-
- **C**: Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
-
- If you choose B) or C), then don't run the second command below.
-
- ```powershell
- New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
- New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
- ```
-
- > [!NOTE]
- > The second command above will temporarily interrupt network connectivity on the Hyper-V host.
-
- Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this action by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet (`$_.Status -eq "Up" -and !$_.Virtual`). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation won't work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the internet is named "Ethernet 2" then type the following command to create an external virtual switch: `New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External"`
-
-2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
- ```powershell
- (Get-VMHostNumaNode).MemoryAvailable
- ```
-
- This command will display the megabytes of RAM available for VMs. On a Hyper-V host computer with 16 GB of physical RAM installed, 10,000 MB of RAM or greater should be available if the computer isn't also running other applications. On a computer with 8 GB of physical RAM installed, at least 4000 MB should be available. If the computer has less RAM available, try closing applications to free up more memory.
-
-3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
-
- ```powershell
- (Get-VMHostNumaNode).MemoryAvailable/4
- 2775.5
- ```
-
- In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously.
-
-4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
-
- > [!IMPORTANT]
- > Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
- ```powershell
- $maxRAM = 2700MB
- New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
- Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName DC1
- New-VM -Name "SRV1" -VHDPath c:\vhd\2012R2-poc-2.vhd -SwitchName poc-internal
- Add-VMNetworkAdapter -VMName "SRV1" -SwitchName "poc-external"
- Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
- ```
-
- > [!NOTE]
- > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
-
-5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
-
- To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
- ```powershell
- New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
- ```
-
- To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
- ```powershell
- New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
- ```
-
- To create a generation 1 VM from a GPT disk (using c:\vhd\w7.vhd):
-
- > [!NOTE]
- > The following procedure is more complex because it includes steps to convert the OS partition from GPT to MBR format. Steps are included to create a temporary VHD and attach it to the VM, the OS image is saved to this drive, the OS drive is then reformatted to MBR, the OS image restored, and the temporary drive is removed.
-
- First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Don't forget to include a pipe (`|`) at the end of the first five commands:
-
- ```powershell
- New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
- Mount-VHD -Passthru |
- Get-Disk -Number {$_.DiskNumber} |
- Initialize-Disk -PartitionStyle MBR -PassThru |
- New-Partition -UseMaximumSize |
- Format-Volume -Confirm:$false -FileSystem NTFS -force
- Dismount-VHD -Path c:\vhd\d.vhd
- ```
-
- Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
-
- ```powershell
- New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
- Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
- Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
- Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
- Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
- The VM will automatically boot into Windows Setup. In the PC1 window:
-
- 1. Select **Next**.
-
- 2. Select **Repair your computer**.
-
- 3. Select **Troubleshoot**.
-
- 4. Select **Command Prompt**.
-
- 5. Type the following command to save an image of the OS drive:
-
- ```cmd
- dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
- ```
-
- 6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
- ```cmd
- diskpart.exe
- select disk 0
- clean
- convert MBR
- create partition primary size=100
- format fs=ntfs quick
- active
- create partition primary
- format fs=ntfs quick label=OS
- assign letter=c
- exit
- ```
-
- 7. Type the following commands to restore the OS image and boot files:
-
- ```cmd
- dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
- bcdboot.exe c:\windows
- exit
- ```
-
- 8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
-
- 9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
-
- 10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
-
- ```powershell
- Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
- Set-VMDvdDrive -VMName PC1 -Path $null
- ```
-
-### Configure VMs
-
-1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
-
- ```powershell
- Start-VM DC1
- vmconnect localhost DC1
- ```
-
-2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
-
-3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-
-4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account.
-
- > [!NOTE]
- > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
-
-5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
- ```powershell
- Rename-Computer DC1
- New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
- Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
- ```
-
- The default gateway at 192.168.0.2 will be configured later in this guide.
-
- > [!NOTE]
- > A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
-
-6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
- ```powershell
- Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
- ```
-
-7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
- ```powershell
- Restart-Computer
- ```
-
-8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
- ```powershell
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
- ```
-
- Ignore any warnings that are displayed. The computer will automatically reboot upon completion.
-
-9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
- ```powershell
- Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
- Add-WindowsFeature -Name DHCP -IncludeManagementTools
- netsh dhcp add securitygroups
- Restart-Service DHCPServer
- Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
- Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
- ```
-
-10. Next, add a DHCP scope and set option values:
-
- ```powershell
- Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
- Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
- ```
-
- The -Force option is necessary when adding scope options to skip validation of 192.168.0.2 as a DNS server because we haven't configured it yet. The scope should immediately begin issuing leases on the PoC network. The first DHCP lease that will be issued is to vEthernet interface on the Hyper-V host, which is a member of the internal network. You can verify this configuration by using the command: `Get-DhcpServerv4Lease -ScopeId 192.168.0.0`
-
-11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
- ```powershell
- Get-DnsServerForwarder
- ```
-
- The following output should be displayed:
-
- ```console
- UseRootHint : True
- Timeout(s) : 3
- EnableReordering : True
- IPAddress : 192.168.0.2
- ReorderedIPAddress : 192.168.0.2
- ```
-
- If this output isn't displayed, you can use the following command to add SRV1 as a forwarder:
-
- ```powershell
- Add-DnsServerForwarder -IPAddress 192.168.0.2
- ```
-
- **Configure service and user accounts**
-
- Windows 10 deployment with Configuration Manager and MDT requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
-
- To keep this test lab relatively simple, we won't create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-
- On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
- ```powershell
- New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- New-ADUser -Name CM_NAA -UserPrincipalName CM_NAA -Description "Configuration Manager Network Access Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
- Add-ADGroupMember "Domain Admins" MDT_BA,CM_JD,CM_NAA
- Set-ADUser -Identity user1 -PasswordNeverExpires $true
- Set-ADUser -Identity administrator -PasswordNeverExpires $true
- Set-ADUser -Identity MDT_BA -PasswordNeverExpires $true
- Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
- Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
- ```
-
-12. Minimize the DC1 VM window but **do not stop** the VM.
-
- Next, the client VM will be started and joined to the contoso.com domain. This action is done before adding a gateway to the PoC network so that there's no danger of duplicate DNS registrations for the physical client and its cloned VM in the domain.
-
-13. If the PC1 VM isn't started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
- ```powershell
- Start-VM PC1
- vmconnect localhost PC1
- ```
-
-14. Sign in to PC1 using an account that has local administrator rights.
-
- PC1 will be disconnected from its current domain, so you can't use a domain account to sign on unless these credentials are cached and the use of cached credentials is permitted by Group Policy. If cached credentials are available and permitted, you can use these credentials to sign in. Otherwise, use an existing local administrator account.
-
-15. After you sign in, Windows detects that it's running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you'll be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
-
- 
-
- If the client was configured with a static address, you must change this address to a dynamic one so that it can obtain a DHCP lease.
-
-16. When the new network adapter driver has completed installation, you'll receive an alert to set a network location for the contoso.com network. Select **Work network** and then select **Close**. When you receive an alert that a restart is required, select **Restart Later**.
-
-17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller.
-
- To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
-
- ```cmd
- ipconfig.exe
-
- Windows IP Configuration
-
- Ethernet adapter Local Area Connection 3:
- Connection-specific DNS Suffix . : contoso.com
- Link-local IPv6 Address . . . . . : fe80::64c2:4d2a:7403:6e02%18
- Ipv4 Address. . . . . . . . . . . : 192.168.0.101
- Subnet Mask . . . . . . . . . . . : 255.255.255.0
- Default Gateway . . . . . . . . . : 192.168.0.2
-
- ping dc1.contoso.com
-
- Pinging dc1.contoso.com [192.168.0.1] with 32 bytes of data:
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
- Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
-
- nltest /dsgetdc:contoso.com
- DC: \\DC1
- Address: \\192.168.0.1
- Dom Guid: fdbd0643-d664-411b-aea0-fe343d7670a8
- Dom Name: CONTOSO
- Forest Name: contoso.com
- Dc Site Name: Default-First-Site-Name
- Our Site Name: Default-First-Site-Name
- Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE FULL_SECRET WS 0xC000
- ```
-
- > [!NOTE]
- > If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it's possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them.
-
-18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then select **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
- ```powershell
- (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- $user = "contoso\administrator"
- $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
- Add-Computer -DomainName contoso.com -Credential $cred
- Restart-Computer
- ```
-
- If you don't see the script pane, select **View** and verify **Show Script Pane Top** is enabled. Select **File** and then select **New**.
-
- See the following example:
-
- :::image type="content" alt-text="ISE 1." source="images/ISE.png" lightbox="images/ISE.png":::
-
-19. Select **File**, select **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
-
-20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
- ```powershell
- Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
- Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
- ```
-
- > [!NOTE]
- > In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
-
- If the copy-vmfile command doesn't work and you can't properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode isn't available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the `.ps1` extension and not as a text (`.txt`) file.
-
-21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
- ```
-
- The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the network so as to ensure the computer object in the domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
-
-22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
-
- > [!IMPORTANT]
- > The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
-
-23. Minimize the PC1 window but don't turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This action verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
-
-24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
- ```powershell
- Start-VM SRV1
- vmconnect localhost SRV1
- ```
-
-25. Accept the default settings, read license terms and accept them, provide a strong administrator password, and select **Finish**. When you're prompted about finding PCs, devices, and content on the network, select **Yes**.
-
-26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. Enhanced session mode will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
-
-27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
- ```powershell
- Rename-Computer SRV1
- New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
- Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
- Restart-Computer
- ```
-
- > [!IMPORTANT]
- > Verify that you are configuring the correct interface in this step. The commands in this step assume that the poc-internal interface on SRV1 is named "Ethernet." If you are unsure how to check the interface, see step #30 below for instructions and tips on how to verify and modify the interface name.
-
-28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
- ```powershell
- $pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
- $user = "contoso\administrator"
- $cred = New-Object System.Management.Automation.PSCredential($user,$pass)
- Add-Computer -DomainName contoso.com -Credential $cred
- Restart-Computer
- ```
-
-29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
- ```powershell
- Install-WindowsFeature -Name DNS -IncludeManagementTools
- Install-WindowsFeature -Name WDS -IncludeManagementTools
- Install-WindowsFeature -Name Routing -IncludeManagementTools
- ```
-
-30. Before configuring the routing service that was installed, verify that network interfaces were added to SRV1 in the right order, resulting in an interface alias of "Ethernet" for the private interface, and an interface alias of "Ethernet 2" for the public interface. Also verify that the external interface has a valid external DHCP IP address lease.
-
- To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
- ```powershell
- Get-NetAdapter | ? status -eq 'up' | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
-
- IPAddress InterfaceAlias
- --------- --------------
- 10.137.130.118 Ethernet 2
- 192.168.0.2 Ethernet
- ```
-
- In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your network. If so, you can try removing and readding the second network interface from the SRV1 VM through its Hyper-V settings.
-
- > [!TIP]
- > Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
-
-31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
- ```powershell
- Install-RemoteAccess -VpnType Vpn
- cmd /c netsh routing ip nat install
- cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
- cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
- cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
- ```
-
-32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This step can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
- ```powershell
- Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
- ```
-
-33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
- ```cmd
- ping.exe www.microsoft.com
- ```
-
- If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
-
- > [!NOTE]
- > This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
- ```powershell
- Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
- ```
-
-34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
-
- ```cmd
- ping www.microsoft.com
-
- Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
- Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=2ms TTL=51
- Reply from 23.222.146.170: bytes=32 time=1ms TTL=51
-
- Ping statistics for 23.222.146.170:
- Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
- Approximate round trip times in milli-seconds:
- Minimum = 1ms, Maximum = 3ms, Average = 2ms
- ```
-
-35. Verify that all three VMs can reach each other, and the internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
-36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
- ```powershell
- runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm"
- Restart-Computer
- ```
-
-This process completes configuration of the starting PoC environment. More services and tools are installed in subsequent guides.
-
-## Appendix A: Verify the configuration
-
-Use the following procedures to verify that the PoC environment is configured properly and working as expected.
-
-1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
- ```powershell
- Get-Service NTDS,DNS,DHCP
- DCDiag -a
- Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
- Get-DnsServerForwarder
- Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
- Get-DhcpServerInDC
- Get-DhcpServerv4Statistics
- ipconfig.exe /all
- ```
-
- **Get-Service** displays a status of "Running" for all three services.
-
- **DCDiag** displays "passed test" for all tests.
-
- **Get-DnsServerResourceRecord** displays the correct DNS address records for DC1, SRV1, and the computername of PC1. Other address records for the zone apex (@), DomainDnsZones, and ForestDnsZones will also be registered.
-
- **Get-DnsServerForwarder** displays a single forwarder of 192.168.0.2.
-
- **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
-
- **Get-DhcpServerInDC** displays 192.168.0.1, `dc1.contoso.com`.
-
- **Get-DhcpServerv4Statistics** displays one scope with two addresses in use. These addresses belong to PC1 and the Hyper-V host.
-
- **ipconfig** displays a primary DNS suffix and suffix search list of `contoso.com`, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
-
-2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
- ```powershell
- Get-Service DNS,RemoteAccess
- Get-DnsServerForwarder
- Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
- ipconfig.exe /all
- netsh.exe int ipv4 show address
- ```
-
- **Get-Service** displays a status of "Running" for both services.
-
- **Get-DnsServerForwarder** either displays no forwarders, or displays a list of forwarders you're required to use so that SRV1 can resolve internet names.
-
- **Resolve-DnsName** displays public IP address results for `www.microsoft.com`.
-
- **ipconfig** displays a primary DNS suffix of `contoso.com`. The suffix search list contains `contoso.com` and your domain. Two ethernet adapters are shown: Ethernet adapter "Ethernet" has an IP address of 192.168.0.2, subnet mask of 255.255.255.0, no default gateway, and DNS server addresses of 192.168.0.1 and 192.168.0.2. Ethernet adapter "Ethernet 2" has an IP address, subnet mask, and default gateway configured by DHCP on your network.
-
- **netsh** displays three interfaces on the computer: interface "Ethernet 2" with DHCP enabled = Yes and IP address assigned by your network, interface "Ethernet" with DHCP enabled = No and IP address of 192.168.0.2, and interface "Loopback Pseudo-Interface 1" with IP address of 127.0.0.1.
-
-3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
-
- ```cmd
- whoami.exe
- hostname.exe
- nslookup.exe www.microsoft.com
- ping.exe -n 1 dc1.contoso.com
- tracert.exe www.microsoft.com
- ```
-
- **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
-
- **hostname.exe** displays the name of the local computer, for example W7PC-001.
-
- **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
-
- **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
-
- **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
-
-## Appendix B: Terminology used in this guide
-
-|Term|Definition|
-|--- |--- |
-|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
-|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
-|**Hyper-V host**|The computer where Hyper-V is installed.|
-|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.|
-|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
-|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
-|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
-|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
-|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
-|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
-
-## Next steps
-
-- [Windows 10 deployment scenarios](windows-deployment-scenarios.md)
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
deleted file mode 100644
index f4b7f66792..0000000000
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Switch to Windows 10 Pro/Enterprise from S mode
-description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.localizationpriority: medium
-ms.service: windows-client
-ms.topic: conceptual
-ms.date: 11/23/2022
-ms.subservice: itpro-deploy
----
-
-# Switch to Windows 10 Pro or Enterprise from S mode
-
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
-
-Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-| If a device is running this version of Windows 10 | and this edition of Windows 10 | then you can switch or convert it to this edition of Windows 10 by these methods: | | |
-|-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
-| | | **Store for Education** (switch/convert all devices in your tenant) | **Microsoft Store** (switch/convert one device at a time) | **Intune** (switch/convert any number of devices selected by admin) |
-| **Windows 10, version 1709** | Pro in S mode | Pro EDU | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1803** | Pro in S mode | Pro EDU in S mode | Pro | Not by this method |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Not by this method |
-| | Home | Not by any method | Not by any method | Not by any method |
-| | | | | |
-| **Windows 10, version 1809** | Pro in S mode | Pro EDU in S mode | Pro | Pro |
-| | Pro | Pro EDU | Not by any method | Not by any method |
-| | Home in S mode | Not by any method | Home | Home |
-| | Home | Not by any method | Not by any method | Not by any method |
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-
-> [!IMPORTANT]
-> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-## Switch one device through the Microsoft Store
-
-Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
-
-Note these differences affecting switching modes in various releases of Windows 10:
-
-- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
-
-- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
-
-- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
-
-1. Sign into the Microsoft Store using your Microsoft account.
-
-2. Search for "S mode".
-
-3. In the offer, select **Buy**, **Get**, or **Learn more.**
-
-You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
-
-## Switch one or more devices by using Microsoft Intune
-
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
-
-1. Start Microsoft Intune.
-
-2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
-
-3. Follow the instructions to complete the switch.
-
-## Block users from switching
-
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
-
-## S mode management with CSPs
-
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
-
-## Related articles
-
-[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 3e1a68db6b..ed42d9442b 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -22,7 +22,7 @@
- name: Configure your network
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
- href: prepare/windows-autopatch-enroll-tenant.md
+ href: prepare/windows-autopatch-feature-activation.md
items:
- name: Fix issues found by the Readiness assessment tool
href: prepare/windows-autopatch-fix-issues.md
@@ -42,98 +42,90 @@
href: deploy/windows-autopatch-register-devices.md
- name: Windows Autopatch groups overview
href: deploy/windows-autopatch-groups-overview.md
- items:
- - name: Manage Windows Autopatch groups
- href: deploy/windows-autopatch-groups-manage-autopatch-groups.md
- name: Post-device registration readiness checks
href: deploy/windows-autopatch-post-reg-readiness-checks.md
- - name: Operate
+ - name: Manage
href:
items:
- - name: Software update management
- href: operate/windows-autopatch-groups-update-management.md
+ - name: Manage Windows Autopatch groups
+ href: manage/windows-autopatch-manage-autopatch-groups.md
+ - name: Customize Windows Update settings
+ href: manage/windows-autopatch-customize-windows-update-settings.md
+ - name: Windows feature updates
+ href: manage/windows-autopatch-windows-feature-update-overview.md
items:
- - name: Windows updates
- href:
- items:
- - name: Customize Windows Update settings
- href: operate/windows-autopatch-groups-windows-update.md
- - name: Windows quality updates
- href: operate/windows-autopatch-groups-windows-quality-update-overview.md
- items:
- - name: Windows quality update end user experience
- href: operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
- - name: Windows quality update signals
- href: operate/windows-autopatch-groups-windows-quality-update-signals.md
- - name: Windows quality update communications
- href: operate/windows-autopatch-groups-windows-quality-update-communications.md
- - name: Windows feature updates
- href: operate/windows-autopatch-groups-windows-feature-update-overview.md
- items:
- - name: Manage Windows feature updates
- href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md
- - name: Microsoft 365 Apps for enterprise
- href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- - name: Microsoft Edge
- href: operate/windows-autopatch-edge.md
- - name: Microsoft Teams
- href: operate/windows-autopatch-teams.md
- - name: Windows quality and feature update reports overview
- href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
+ - name: Manage Windows feature updates
+ href: manage/windows-autopatch-manage-windows-feature-update-releases.md
+ - name: Windows quality updates
+ href: manage/windows-autopatch-windows-quality-update-overview.md
+ items:
+ - name: Windows quality update end user experience
+ href: manage/windows-autopatch-windows-quality-update-end-user-exp.md
+ - name: Windows quality update communications
+ href: manage/windows-autopatch-windows-quality-update-communications.md
+ - name: Windows quality update policies
+ href: manage/windows-autopatch-windows-update-policies.md
+ - name: Manage driver and firmware updates
+ href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
+ - name: Microsoft 365 Apps for enterprise
+ href: manage/windows-autopatch-microsoft-365-apps-enterprise.md
+ items:
+ - name: Microsoft 365 Apps for enterprise update policies
+ href: manage/windows-autopatch-microsoft-365-policies.md
+ - name: Microsoft Edge
+ href: manage/windows-autopatch-edge.md
+ - name: Microsoft Teams
+ href: manage/windows-autopatch-teams.md
+ - name: Submit a support request
+ href: manage/windows-autopatch-support-request.md
+ - name: Exclude a device
+ href: manage/windows-autopatch-exclude-device.md
+ - name: Unenroll your tenant
+ href: manage/windows-autopatch-feature-deactivation.md
+ - name: Monitor
+ href:
+ items:
+ - name: Windows feature and quality update reports overview
+ href: monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
items:
- - name: Windows quality update reports
- href:
- items:
- - name: Summary dashboard
- href: operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
- - name: Quality update status report
- href: operate/windows-autopatch-groups-windows-quality-update-status-report.md
- - name: Quality update trending report
- href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md
- - name: Reliability report
- href: operate/windows-autopatch-reliability-report.md
- name: Windows feature update reports
href:
items:
- name: Summary dashboard
- href: operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
+ href: monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
- name: Feature update status report
- href: operate/windows-autopatch-groups-windows-feature-update-status-report.md
+ href: monitor/windows-autopatch-windows-feature-update-status-report.md
- name: Feature update trending report
- href: operate/windows-autopatch-groups-windows-feature-update-trending-report.md
- - name: Windows quality and feature update device alerts
- href: operate/windows-autopatch-device-alerts.md
+ href: monitor/windows-autopatch-windows-feature-update-trending-report.md
+ - name: Windows quality update reports
+ href:
+ items:
+ - name: Summary dashboard
+ href: monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
+ - name: Quality update status report
+ href: monitor/windows-autopatch-windows-quality-update-status-report.md
+ - name: Quality update trending report
+ href: monitor/windows-autopatch-windows-quality-update-trending-report.md
+ - name: Reliability report
+ href: monitor/windows-autopatch-reliability-report.md
+ - name: Windows feature and quality update device alerts
+ href: monitor/windows-autopatch-device-alerts.md
- name: Policy health
href:
items:
- name: Policy health and remediation
- href: operate/windows-autopatch-policy-health-and-remediation.md
+ href: monitor/windows-autopatch-policy-health-and-remediation.md
- name: Resolve policy conflicts
- href: operate/windows-autopatch-resolve-policy-conflicts.md
+ href: monitor/windows-autopatch-resolve-policy-conflicts.md
- name: Maintain the Windows Autopatch environment
- href: operate/windows-autopatch-maintain-environment.md
- - name: Manage driver and firmware updates
- href: operate/windows-autopatch-manage-driver-and-firmware-updates.md
- - name: Submit a support request
- href: operate/windows-autopatch-support-request.md
- - name: Exclude a device
- href: operate/windows-autopatch-exclude-device.md
- - name: Unenroll your tenant
- href: operate/windows-autopatch-unenroll-tenant.md
+ href: monitor/windows-autopatch-maintain-environment.md
- name: References
href:
items:
- - name: Update policies
- href:
- items:
- - name: Windows update policies
- href: references/windows-autopatch-windows-update-unsupported-policies.md
- - name: Microsoft 365 Apps for enterprise update policies
- href: references/windows-autopatch-microsoft-365-policies.md
- - name: Conflicting configurations
- href: references/windows-autopatch-conflicting-configurations.md
+ - name: Conflicting configurations
+ href: references/windows-autopatch-conflicting-configurations.md
- name: Changes made at tenant enrollment
- href: references/windows-autopatch-changes-to-tenant.md
+ href: references/windows-autopatch-changes-made-at-feature-activation.md
- name: What's new
href:
items:
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index be8a0b2063..e6ddc81d67 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -3,7 +3,7 @@ title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 07/08/2024
ms.service: windows-client
-ms.subservice: itpro-updates
+ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 3b2702240b..1c6f73eb6b 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -3,7 +3,7 @@ title: Device registration overview
description: This article provides an overview on how to register devices in Autopatch.
ms.date: 02/15/2024
ms.service: windows-client
-ms.subservice: itpro-updates
+ms.subservice: autopatch
ms.topic: concept-article
ms.localizationpriority: medium
author: tiaraquan
@@ -46,7 +46,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| Step | Description |
| ----- | ----- |
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group
A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| -| Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| +| Scenario #1 | You assign Microsoft Entra groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| +| Scenario #2 | You create new [Custom Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| > [!NOTE] > Global releases don't show up in the Windows feature updates release management blade. @@ -124,7 +124,7 @@ The differences in between the global and the default Windows feature update pol | Default Windows feature update policy | Global Windows feature update policy | | ----- | ----- | -|When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md).
To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).
## Policy conflict view -This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-alert-details). +This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-alert-details). -If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. +If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. **To view all policies conflicting with the expected policies:** -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Devices** > **Windows Autopatch** > **Policy health**. 3. In the **Policy conflicts** tab, the list of expected policies and conflicting policies is displayed. 4. Select **View alert** and review the details of the **Recommended action** and alert details. @@ -71,7 +71,7 @@ All alerts displayed in this flyout include the following details. You must revi ## Affected devices view -This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-alert-details). It’s possible for devices to have multiple conflicting policies, due to their membership in various groups. +This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-alert-details). It’s possible for devices to have multiple conflicting policies, due to their membership in various groups. You can navigate to this view from the Affected devices column link in the Policy conflicts view, or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index d8e5c7be2a..5b210062a3 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -3,7 +3,7 @@ title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. ms.date: 07/08/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-summary-dashboard.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index 38af149ad8..f630537c12 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -3,7 +3,7 @@ title: Windows feature update summary dashboard description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. ms.date: 01/22/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md similarity index 98% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md index 2d724d0af1..39ffb54eff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md @@ -3,7 +3,7 @@ title: Feature update trending report description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. ms.date: 07/08/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index 7d2cb8b29e..fadb440d95 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,9 +1,9 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 07/10/2024 +ms.date: 07/10/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: overview ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index 34b11def99..7c1283c329 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -3,7 +3,7 @@ title: Quality update status report description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. ms.date: 07/08/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md similarity index 99% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 21c684b548..4752f080ec 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -3,7 +3,7 @@ title: Windows quality update summary dashboard description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch ms.date: 01/22/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md similarity index 98% rename from windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md rename to windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md index a956837968..df4024c72f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md @@ -3,7 +3,7 @@ title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days. ms.date: 07/08/2024 ms.service: windows-client -ms.subservice: itpro-updates +ms.subservice: autopatch ms.topic: how-to ms.localizationpriority: medium author: tiaraquan diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md deleted file mode 100644 index 7d66ce8a49..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: Software update management for Autopatch groups -description: This article provides an overview of how updates are handled with Autopatch groups -ms.date: 07/08/2024 -ms.service: windows-client -ms.subservice: itpro-updates -ms.topic: concept-article -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: andredm7 -ms.collection: - - highpri - - tier1 ---- - -# Software update management - -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. - -## Software update workloads - -| Software update workload | Description | -| ----- | ----- | -| Windows quality update | Windows Autopatch uses four deployment rings to manage [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | -| Windows feature update | Windows Autopatch uses four deployment rings to manage [Windows feature updates](windows-autopatch-groups-windows-feature-update-overview.md) | -| Anti-virus definition | Updated with each scan. | -| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). | -| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | -| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | - -## Autopatch groups - -Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey. - -Autopatch groups is a logical container that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together. - -For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md). - -## Windows quality updates - -Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. - -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. For more information, see [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md). - -## Windows feature updates - -You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. - -The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. - -For more information, see [Windows feature updates overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md). - -## Reports - -Using [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md), you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. - -## Policy health and remediation - -Windows Autopatch deploys Intune policies for Windows quality and feature update management. Windows Update policies must remain healthy for devices to receive Windows updates and stay up to date. We continuously monitor the health of the policies and raise alerts and provide remediation actions. For more information, see [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) and [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md deleted file mode 100644 index caf9f9c2c5..0000000000 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -title: Windows quality update release signals -description: This article explains the Windows quality update release signals -ms.date: 07/08/2024 -ms.service: windows-client -ms.subservice: itpro-updates -ms.topic: conceptual -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: hathind -ms.collection: - - highpri - - tier1 ---- - -# Windows quality update signals - -Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows. - -If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release. - -## Pre-release signals - -Before being released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. - -| Pre-release signal | Description | -| ----- | ----- | -| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-groups-windows-quality-update-communications.md#communications-during-release) will be sent out. | -| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. | -| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. | - -## Early signals - -The update is released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several Microsoft internal signals that are monitored throughout the release. - -| Device reliability signal | Description | Microsoft will | -| ----- | ----- | ----- | -| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. |Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.
Diagnostic data is categorized into the following:
Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.
Diagnostic data is categorized into the following:
This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.
This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Microsoft Edge environment.
This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards @@ -52,7 +52,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you're no longer required to configure network isolation policy to enable Application Guard for Microsoft Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise or Pro or Education|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1709 or higher
Windows 10 Education, 1809 or higher
Windows 11 Enterprise and Education|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
index 43f2f31197..b539097c6d 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -4,7 +4,7 @@ metadata:
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
ms.localizationpriority: medium
ms.topic: faq
- ms.date: 12/12/2023
+ ms.date: 07/11/2024
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
@@ -211,7 +211,7 @@ sections:
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
- This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
+ This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Microsoft Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
@@ -220,9 +220,9 @@ sections:
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
- Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
+ Is there a way to enable or disable the behavior where the host Microsoft Edge tab auto-closes when navigating to an untrusted site?
answer: |
- Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
+ Yes. Use this Microsoft Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index 33375dd2a1..beefaa14bb 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,7 +1,7 @@
---
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: how-to
---
@@ -31,7 +31,7 @@ Standalone mode is applicable for:
## Enterprise-managed mode
-You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
+You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add nonenterprise domain(s) in the container.
Enterprise-managed mode is applicable for:
@@ -93,7 +93,7 @@ Application Guard functionality is turned off by default. However, you can quick
To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-1. In the **Assignments** page, select the users or groups that will receive the policy. Select **Next**.
+1. In the **Assignments** page, select the users or groups that receive the policy. Select **Next**.
To learn more about assigning policies, see [Assign policies in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
deleted file mode 100644
index f841705678..0000000000
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Microsoft Defender Application Guard Extension
-description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
-ms.localizationpriority: medium
-ms.date: 12/12/2023
-ms.topic: conceptual
----
-
-# Microsoft Defender Application Guard Extension
-
-[!INCLUDE [mdag-edge-deprecation-notice](../../../includes/mdag-edge-deprecation-notice.md)]
-
-[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-
-[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
-
-> [!TIP]
-> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
-
-Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
-
-## Prerequisites
-
-Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:
-
-- Windows 10 Professional
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 11
-
-Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
-
-## Installing the extension
-
-Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
-
-Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
-
-From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
-
-1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
-1. Restart the device.
-
-### Recommended browser group policies
-
-Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
-
-#### Chrome policies
-
-These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`.
-
-Policy name | Values | Recommended setting | Reason
--|-|-|-
-[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
`1` = Disabled
`2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
-[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
-[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
-[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
-
-#### Firefox policies
-
-These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`.
-
-Policy name | Values | Recommended setting | Reason
--|-|-|-
-[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard
-[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed
`true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security
-[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it.
-
-## Troubleshooting guide
-
-
-
-Error message | Cause | Actions
--|-|-
-Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
-Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation
-Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
-Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
-Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Microsoft Edge is working 3. Retry the operation
-
-## Related articles
-
-- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index 109331df35..cc5f471678 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: conceptual
---
@@ -15,7 +15,7 @@ Microsoft Defender Application Guard (MDAG) is designed to help prevent old and
For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
-For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint, and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
@@ -33,7 +33,7 @@ Application Guard has been created to target several types of devices:
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
-For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
+For more information about Microsoft Defender Application Guard (MDAG) for Microsoft Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
## Related articles
@@ -43,7 +43,6 @@ For more information about Microsoft Defender Application Guard (MDAG) for Edge
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
-| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
index ff5414fd19..fcf8fe4d0b 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -3,7 +3,7 @@ title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.topic: overview
ms.localizationpriority: medium
-ms.date: 12/12/2023
+ms.date: 07/11/2024
---
# System requirements for Microsoft Defender Application Guard
@@ -24,8 +24,8 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Hardware | Description |
|--------|-----------|
-| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**AND**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V |
+| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and Virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**AND**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V |
| Hardware memory | Microsoft requires a minimum of 8-GB RAM |
| Hard disk | 5-GB free space, solid state disk (SSD) recommended |
| Input/Output Memory Management Unit (IOMMU) support| Not required, but recommended |
@@ -38,4 +38,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
|--------|-----------|
| Operating system | Windows 10 Enterprise or Education editions, version 1809 or later
Windows 10 Professional edition, version 1809 or later (only [standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported)
Windows 11 Education or Enterprise editions
Windows 11 Professional edition (only [Standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard#standalone-mode) is supported) |
| Browser | Microsoft Edge |
-| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
+| Management system
(only for managed devices)| [Microsoft Intune](/mem/intune/)
**OR**
[Microsoft Configuration Manager](/mem/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index f63bfb9f1f..275a28dd9e 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -2,7 +2,7 @@
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.localizationpriority: medium
-ms.date: 12/12/2023
+ms.date: 07/11/2024
ms.topic: conceptual
---
@@ -26,8 +26,8 @@ You can see how an employee would use standalone mode with Application Guard.
3. Wait for Application Guard to set up the isolated environment.
- >[!NOTE]
- >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
+ > [!NOTE]
+ > Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
@@ -39,7 +39,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
### Install, set up, and turn on Application Guard
-Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
+Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11, which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
@@ -47,19 +47,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
- a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
+ 1. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
- b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
+ 1. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
- c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
+ 1. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
- 
+ 
- d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
+ 1. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
- e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
+ 1. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
- 
+ 
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
@@ -67,8 +67,8 @@ Before you can use Application Guard in managed mode, you must install Windows 1
- >[!NOTE]
- >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
+ > [!NOTE]
+ > Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
6. Start Microsoft Edge and type `https://www.microsoft.com`.
@@ -207,7 +207,7 @@ You have the option to change each of these settings to work with your enterpris
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
-4. Open an application with video or audio capability in Edge.
+4. Open an application with video or audio capability in Microsoft Edge.
5. Check that the camera and microphone work as expected.
@@ -223,17 +223,20 @@ You have the option to change each of these settings to work with your enterpris
## Application Guard Extension for third-party web browsers
-The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
+The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they're running a web browser other than Microsoft Edge or Internet Explorer.
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+
-3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+3. Navigate to a nonenterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
+
-4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
+4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**.
+
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 6420d0019f..29d6d96ecb 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -60,7 +60,7 @@ Supported values:
- *Enable*: Enables vGPU support in the sandbox.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU.
-- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled.
+- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 789ac396b8..97aafdbec1 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -232,7 +232,7 @@ Universal Print has integrated with Administrative Units in Microsoft Entra ID t
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
-- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption)
+- [Data handling in Universal Print](/universal-print/data-handling)
- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 2e3135282a..1a7808e2b1 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -53,8 +53,8 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Security",
"contributors_to_exclude": [
+ "aditisrivastava07",
"alekyaj",
"alexbuckgit",
"American-Dipper",
@@ -65,14 +65,13 @@
"dstrome2",
"garycentric",
"jborsecnik",
+ "padmagit77",
"rjagiewich",
"rmca14",
"shdyas",
"Stacyrch140",
"tiburd",
"traya1",
- "v-dihans",
- "v-stchambers",
"v-stsavell"
],
"searchScope": [
@@ -98,7 +97,9 @@
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
- "operating-system-security/network-security/**/*.yml": "paolomatarazzo"
+ "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
+ "security-foundations/certification/**/*.md": "mike-grimm",
+ "security-foundations/certification/**/*.yml": "mike-grimm"
},
"ms.author": {
"application-security//**/*.md": "vinpa",
@@ -118,7 +119,9 @@
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
- "operating-system-security/network-security/**/*.yml": "paoloma"
+ "operating-system-security/network-security/**/*.yml": "paoloma",
+ "security-foundations/certification/**/*.md": "mgrimm",
+ "security-foundations/certification/**/*.yml": "mgrimm"
},
"appliesto": {
"application-security//**/*.md": [
@@ -232,7 +235,8 @@
"operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck",
"operating-system-security/network-security/vpn/*.md": "pesmith",
- "operating-system-security/network-security/windows-firewall/*.md": "nganguly"
+ "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
+ "security-foundations/certification/**/*.md": "paoloma"
},
"ms.collection": {
"book/*.md": "tier3",
@@ -241,6 +245,7 @@
"information-protection/tpm/*.md": "tier1",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
+ "security-foundations/certification/**/*.md": "tier3",
"threat-protection/auditing/*.md": "tier3"
},
"ROBOTS": {
@@ -251,4 +256,4 @@
"dest": "security",
"markdownEngineName": "markdig"
}
-}
\ No newline at end of file
+}
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 3a7b6d25bd..20731a876a 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,9 +1,9 @@
---
-ms.date: 11/07/2023
+ms.date: 09/06/2024
title: Access Control overview
description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.topic: overview
-appliesto:
+appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server 2022
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index ba0aa757cc..70dbff7388 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,9 +1,9 @@
---
-ms.date: 11/07/2023
+ms.date: 09/06/2024
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: concept-article
-appliesto:
+appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server 2022
@@ -37,7 +37,7 @@ The default Administrator account can't be deleted or locked out, but it can be
Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.
-Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
+Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
#### Account group membership
@@ -219,7 +219,7 @@ The following table shows the Group Policy and registry settings that are used t
||Registry value data|0|
> [!NOTE]
-> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
+> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
#### To enforce local account restrictions for remote access
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index fee6dbbc20..b965f14e38 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -404,4 +404,4 @@ bcdedit /set vsmlaunchtype off
[CSP-1]: /windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
-[INT-1]: /mem/intune/configuration/settings-catalog
+[INT-1]: /mem/intune/configuration/custom-settings-configure
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index b52bfea7e9..71298d9a5b 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -112,7 +112,7 @@ Once the device has connectivity to the domain controllers, DPAPI recovers the u
When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
-**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
## Known issues
diff --git a/windows/security/identity-protection/hello-for-business/configure.md b/windows/security/identity-protection/hello-for-business/configure.md
index 008110433e..901fa618d2 100644
--- a/windows/security/identity-protection/hello-for-business/configure.md
+++ b/windows/security/identity-protection/hello-for-business/configure.md
@@ -106,7 +106,7 @@ Windows Hello for Business is enabled by default for devices that are Microsoft
Configuration type| Details |
|--|-|
-| CSP (user)|**Key path**: `HHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
+| CSP (user)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
| CSP (device)|**Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\
**Key name**: `UsePassportForWork`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
| GPO (user)|**Key path**: `HKEY_USERS\
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
| GPO (user)|**Key path**: `KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`
**Key name**: `Enabled`
**Type**: `REG_DWORD`
**Value**:
`1` to enable
`0` to disable |
diff --git a/windows/security/identity-protection/hello-for-business/deploy/index.md b/windows/security/identity-protection/hello-for-business/deploy/index.md
index 176e016833..09c8d47a70 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/index.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/index.md
@@ -275,6 +275,8 @@ All supported Windows Server versions can be used with Windows Hello for Busines
| **🔲** | **On-premises** | Key | All supported versions |
| **🔲** | **On-premises** | Certificate | All supported versions |
+The minimum required domain functional and forest functional levels are Windows Server 2008 R2 for all deployment models.
+
## Prepare users
When you are ready to enable Windows Hello for Business in your organization, make sure to prepare the users by explaining how to provision and use Windows Hello.
diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml
index fb596103e4..c17a99f819 100644
--- a/windows/security/identity-protection/hello-for-business/faq.yml
+++ b/windows/security/identity-protection/hello-for-business/faq.yml
@@ -16,7 +16,10 @@ sections:
questions:
- question: What's the difference between Windows Hello and Windows Hello for Business?
answer: |
- Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
+ *Windows Hello* is an authentication technology that allows users to sign in to their Windows devices using biometric data, or a PIN, instead of a traditional password.
+
+ *Windows Hello for Business* is an extension of Windows Hello that provides enterprise-grade security and management capabilities, including device attestation, certificate-based authentication, and conditional access policies. Policy settings can be deployed to devices to ensure they're secure and compliant with organizational requirements.
+
- question: Why a PIN is better than an online password
answer: |
Three main reasons:
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index c9827058be..e838ad5167 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -18,7 +18,7 @@ The following table lists the main authentication and security differences betwe
||Windows Hello for Business|Windows Hello|
|-|-|-|
|**Authentication**|Users can authenticate to:
- A Microsoft Entra ID account
- An Active Directory account
- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|Users can authenticate to:
- A Microsoft account
- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|
-|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.
Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration is referred to as *Windows Hello convenience PIN*, and it's not backed by asymmetric (public/private key) or certificate-based authentication.|
+|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.
Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration isn't backed by asymmetric (public/private key) or certificate-based authentication.|
> [!NOTE]
> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
diff --git a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png b/windows/security/identity-protection/passkeys/images/hello-use-confirm.png
deleted file mode 100644
index 4139c708c3..0000000000
Binary files a/windows/security/identity-protection/passkeys/images/hello-use-confirm.png and /dev/null differ
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 44f695a852..ebad860cb2 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -1,11 +1,11 @@
---
title: Support for passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
-ms.collection:
+ms.collection:
- tier1
ms.topic: overview
-ms.date: 11/07/2023
-appliesto:
+ms.date: 09/06/2024
+appliesto:
- ✅ Windows 11
- ✅ Windows 10
---
@@ -31,7 +31,7 @@ FIDO protocols prioritize user privacy, as they're designed to prevent online se
### Passkeys compared to passwords
-Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker may try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
+Passkeys have several advantages over passwords, including their ease of use and intuitive nature. Unlike passwords, passkeys are easy to create, don't need to be remembered, and don't need to be safeguarded. Additionally, passkeys are unique to each website or application, preventing their reuse. They're highly secure because they're only stored on the user's devices, with the service only storing public keys. Passkeys are designed to prevent attackers to guess or obtain them, which helps to make them resistant to phishing attempts where the attacker might try to trick the user into revealing the private key. Passkeys are enforced by the browsers or operating systems to only be used for the appropriate service, rather than relying on human verification. Finally, passkeys provide cross-device and cross-platform authentication, meaning that a passkey from one device can be used to sign in on another device.
[!INCLUDE [passkey](../../../../includes/licensing/passkeys.md)]
@@ -113,7 +113,7 @@ Pick one of the following options to learn how to save a passkey, based on where
:::row:::
:::column span="4":::
- 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ 4. Select your linked device name (for example, **Pixel**) > **Next**
:::column-end:::
:::row-end:::
:::row:::
@@ -241,7 +241,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="4":::
- 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ 4. Select your linked device name (for example, **Pixel**) > **Next**
:::column-end:::
:::row-end:::
:::row:::
@@ -311,12 +311,86 @@ Starting in Windows 11, version 22H2 with [KB5030310][KB-1], you can use the Set
> [!NOTE]
> Some passkeys for *login.microsoft.com* can't be deleted, as they're used with Microsoft Entra ID and/or Microsoft Account for signing in to the device and Microsoft services.
+## Passkeys in Bluetooth-restricted environments
+
+For passkey cross-device authentication scenarios, both the Windows device and the mobile device must have Bluetooth enabled and connected to the Internet. This allows the user to authorize another device securely over Bluetooth without transferring or copying the passkey itself.
+
+Some organizations restrict Bluetooth usage, which includes the use of passkeys. In such cases, organizations can allow passkeys by permitting Bluetooth pairing exclusively with passkey-enabled FIDO2 authenticators.
+
+To limit the use of Bluetooth to only passkey use cases, use the [Bluetooth Policy CSP][CSP-8] and the [DeviceInstallation Policy CSP][CSP-7].
+
+### Device configuration
+
+[!INCLUDE [tab-intro](../../../../includes/configure/tab-intro.md)]
+
+#### [:::image type="icon" source="../../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
+To configure devices with Microsoft Intune, [you can use a custom policy][INT-2] with these settings:
+
+| Setting |
+|--|
+|
When set to `0`, the device doesn't send out advertisements. |
+|
When set to `0`, other devices can't detect the device. |
+|
Prevents specific bundled Bluetooth peripherals from automatically pairing with the host device.
-The **Create Configuration Item Wizard** starts. - -  - -3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**. - - - **Settings for devices managed with the Configuration Manager client:** Windows 10 - - -OR- - - - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10 - -5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**. - -  - -6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**. - -  - -The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. - -## Add app rules to your policy - -During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. - -The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. - ->[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-### Add a store app rule to your policy
-For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-
-1. From the **App rules** area, select **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
-
-3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-
-1. Go to the [Microsoft Store](https://apps.microsoft.com/) website, and find your app. For example, Microsoft OneNote.
-
- > [!NOTE]
- > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in [Add an AppLocker policy file](#add-an-applocker-policy-file) in this article.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is `https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl`, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata`, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ```json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- > [!IMPORTANT]
- > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
- >
- > For example:
- >
- > ```json
- > {
- > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- > }
- > ```
-
-### Add a desktop app rule to your policy
-
-For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app to your policy**
-
-1. From the **App rules** area, select **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
-
-3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
-
- Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
-
-4. Pick **Desktop App** from the **Rule template** drop-down list.
-
- The box changes to show the desktop app rule options.
-
-5. Pick the options you want to include for the app rule (see table), and then select **OK**.
-
- |Option|Manages|
- |--- |--- |
- |All fields left as "*"|All files signed by any publisher. (Not recommended.)|
- |**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
- |**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
-
-If you're unsure about what to include for the publisher, you can run this PowerShell command:
-
-```powershell
-Get-AppLockerFileInformation -Path " After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
-
-:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png":::
-
-## Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->[!IMPORTANT]
->Every WIP policy should include policy that defines your enterprise network locations. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
-
-## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn off WIP, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
-
-## Next steps
-
-After you decide to use WIP in your environment, [create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md).
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
deleted file mode 100644
index fc9dfc237c..0000000000
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Recommended URLs for Windows Information Protection
-description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/25/2019
----
-
-# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically.
-
-## Recommended Enterprise Cloud Resources
-
-This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
-
-|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
- This is the XML file that AppLocker creates for Microsoft Photos.
-
- ```xml
-
->Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
-
-**To define where your protected apps can find and send enterprise data on your network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
- The **Add or edit corporate network definition** box appears.
-
-2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
- 
-
- - **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
-
- For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise.
-
- If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
-
- **Format examples**:
-
- - **With proxy**: `contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com`
-
- - **Without proxy**: `contoso.sharepoint.com|contoso.visualstudio.com`
-
- >[!Important]
- > In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
-
- - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected.
-
- This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
-
- If you have multiple resources, you must separate them using the "," delimiter.
-
- **Format examples**: `corp.contoso.com,region.contoso.com`
-
- - **Proxy servers**: Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
- This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
-
- If you have multiple resources, you must separate them using the ";" delimiter.
-
- **Format examples**: `proxy.contoso.com:80;proxy2.contoso.com:443`
-
- - **Internal proxy servers**: Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
- This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
-
- If you have multiple resources, you must separate them using the ";" delimiter.
-
- **Format examples**: `contoso.internalproxy1.com;contoso.internalproxy2.com`
-
- - **Enterprise IPv4 Range (Required)**: Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
-
- If you have multiple ranges, you must separate them using the "," delimiter.
-
- **Format examples**:
-
- - **Starting IPv4 Address:** `3.4.0.1`
- - **Ending IPv4 Address:** `3.4.255.254`
- - **Custom URI:** `3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254`
-
- - **Enterprise IPv6 Range**: Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
-
- If you have multiple ranges, you must separate them using the "," delimiter.
-
- **Format examples**:
-
- - **Starting IPv6 Address:** `2a01:110::`
- - **Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
- - **Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
-
- - **Neutral Resources**: Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection.
-
- If you have multiple resources, you must separate them using the "," delimiter.
-
- **Format examples**: `sts.contoso.com,sts.contoso2.com`
-
-3. Add as many locations as you need, and then select **OK**.
-
- The **Add or edit corporate network definition** box closes.
-
-4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
-
- :::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png":::
-
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
-
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
-
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
-
-5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
-
- 
-
- After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
-
- For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
-
-## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
-
-
-
-**To set your optional settings**
-1. Choose to set any or all of the optional settings:
-
- - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
-
- - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
-
- - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
-
- - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
- - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-
- - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
-
- - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
-
-2. After you pick all of the settings you want to include, select **Summary**.
-
-## Review your configuration choices in the Summary screen
-After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
-
-**To view the Summary screen**
-- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy.
-
- 
-
- A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page.
-
-## Deploy the WIP policy
-After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles:
-
-- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
-
-- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
-
-## Related articles
-
-- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-
-- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
deleted file mode 100644
index c73eda005f..0000000000
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ /dev/null
@@ -1,605 +0,0 @@
----
-title: Create a WIP policy in Intune
-description: Learn how to use the Microsoft Intune admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: how-to
-ms.date: 07/15/2022
----
-
-# Create a Windows Information Protection policy in Microsoft Intune
-
-[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
-
-## Differences between MDM and MAM for WIP
-
-You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
-
-- MAM has more **Access** settings for Windows Hello for Business.
-- MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
-- A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery depends on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
-- MAM supports only one user per device.
-- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
-- Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
-- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Microsoft Entra ID. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
-
-
-## Prerequisites
-
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Microsoft Entra ID. MAM requires an [Microsoft Entra ID P1 or P2 license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). A Microsoft Entra ID P1 or P2 license is also required for WIP auto-recovery, where a device can re-enroll and regain access to protected data. WIP auto-recovery relies on Microsoft Entra registration to back up the encryption keys, which requires device auto-enrollment with MDM.
-
-## Configure the MDM or MAM provider
-
-1. Sign in to the Azure portal.
-
-2. Select **Microsoft Entra ID** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
-
-3. Select **Restore Default URLs** or enter the settings for MDM or MAM user scope and select **Save**:
-
- 
-
-## Create a WIP policy
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
-
- 
-
-3. In the **App policy** screen, select **Add a policy**, and then fill out the fields:
-
- - **Name.** Type a name (required) for your new policy.
-
- - **Description.** Type an optional description.
-
- - **Platform.** Choose **Windows 10**.
-
- - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
-
- 
-
-4. Select **Protected apps** and then select **Add apps**.
-
- 
-
- You can add these types of apps:
-
- - [Recommended apps](#add-recommended-apps)
- - [Store apps](#add-store-apps)
- - [Desktop apps](#add-desktop-apps)
-
->[!NOTE]
->An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.
-
-### Add recommended apps
-
-Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and select **OK**.
-
-
-
-### Add Store apps
-
-Select **Store apps**, type the app product name and publisher, and select **OK**. For example, to add the Power BI Mobile App from the Store, type the following:
-
-- **Name**: Microsoft Power BI
-- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
-- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
-
-
-
-To add multiple Store apps, select the ellipsis `…`.
-
-If you don't know the Store app publisher or product name, you can find them by following these steps.
-
-1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
-
-2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is `https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1`, and you'd copy the ID value, `9nblgggzlxn1`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata`, where `9nblgggzlxn1` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ```json
- {
- "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
-
- >[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
- >
- > For example:
- >
- > ```json
- > {
- > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- > }
-
-
-
-### Add Desktop apps
-
-To add **Desktop apps**, complete the following fields, based on what results you want returned.
-
-|Field|Manages|
-|--- |--- |
-|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)|
-|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
-|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.|
-|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.|
-|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
-|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
-|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.|
-
-To add another Desktop app, select the ellipsis `…`. After you've entered the info into the fields, select **OK**.
-
-
-
-If you're unsure about what to include for the publisher, you can run this PowerShell command:
-
-```powershell
-Get-AppLockerFileInformation -Path "
- This is the XML file that AppLocker creates for Microsoft Dynamics 365.
-
- ```xml
-
-
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
-
-2. Select **Save**.
-
-## Define your enterprise-managed corporate identity
-Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-
-Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
-
-**To change your corporate identity**
-
-1. From **App policy**, select the name of your policy, and then select **Required settings**.
-
-2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field.
-
- 
-
-3. To add domains, such your email domain names, select **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
-
- 
-
-## Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
-
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
-To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
-
-
-
-Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then select **OK**.
-
-### Cloud resources
-
-Specify the cloud resources to be treated as corporate and protected by WIP.
-For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.
-All traffic routed through your Internal proxy servers is considered enterprise.
-
-Separate multiple resources with the "|" delimiter.
-For example:
-
-```console
-URL <,proxy>|URL <,proxy>
-```
-
-Personal applications can access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.
-
-To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
-
-In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site.
-In this case, Windows blocks the connection by default.
-To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
-For example:
-
-```console
-URL <,proxy>|URL <,proxy>|/*AppCompat*/
-```
-
-When you use this string, we recommend that you also turn on [Microsoft Entra Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
-
-Value format with proxy:
-
-```console
-contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
-```
-
-Value format without proxy:
-
-```console
-contoso.sharepoint.com|contoso.visualstudio.com|contoso.onedrive.com,
-```
-
-### Protected domains
-
-Specify the domains used for identities in your environment.
-All traffic to the fully qualified domains appearing in this list will be protected.
-Separate multiple domains with the "|" delimiter.
-
-```console
-exchange.contoso.com|contoso.com|region.contoso.com
-```
-
-### Network domains
-
-Specify the DNS suffixes used in your environment.
-All traffic to the fully qualified domains appearing in this list will be protected.
-Separate multiple resources with the "," delimiter.
-
-```console
-corp.contoso.com,region.contoso.com
-```
-
-### Proxy servers
-
-Specify the proxy servers your devices will go through to reach your cloud resources.
-Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
-This list shouldn't include any servers listed in your Internal proxy servers list.
-Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
-Separate multiple resources with the ";" delimiter.
-
-```console
-proxy.contoso.com:80;proxy2.contoso.com:443
-```
-
-### Internal proxy servers
-
-Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-
-This list shouldn't include any servers listed in your Proxy servers list.
-Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
-Separate multiple resources with the ";" delimiter.
-
-```console
-contoso.internalproxy1.com;contoso.internalproxy2.com
-```
-
-### IPv4 ranges
-
-Specify the addresses for a valid IPv4 value range within your intranet.
-These addresses, used with your Network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn't supported.
-
-Separate multiple ranges with the "," delimiter.
-
-**Starting IPv4 Address:** 3.4.0.1
-**Ending IPv4 Address:** 3.4.255.254
-**Custom URI:** 3.4.0.1-3.4.255.254,
-10.0.0.1-10.255.255.254
-
-### IPv6 ranges
-
-Starting with Windows 10, version 1703, this field is optional.
-
-Specify the addresses for a valid IPv6 value range within your intranet.
-These addresses, used with your network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn't supported.
-
-Separate multiple ranges with the "," delimiter.
-
-**Starting IPv6 Address:** `2a01:110::`
-**Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
-**Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,'
'fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
-
-### Neutral resources
-
-Specify your authentication redirection endpoints for your company.
-These locations are considered enterprise or personal, based on the context of the connection before the redirection.
-Separate multiple resources with the "," delimiter.
-
-```console
-sts.contoso.com,sts.contoso2.com
-```
-
-Decide if you want Windows to look for more network settings:
-
-- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for more proxy servers in your immediate network.
-
-- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for more IP ranges on any domain-joined devices connected to your network.
-
-
-
-## Upload your Data Recovery Agent (DRA) certificate
-After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
-
->[!Important]
->Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
-
-**To upload your DRA certificate**
-1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
-
- **Advanced settings** shows.
-
-2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
-
- 
-
-## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
-
-
-**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
-- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-
-- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
-
-**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
-
-- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Also, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
-
-- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
-
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
-
-- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files.
-
- If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access.
-
-- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
-
- > [!NOTE]
- > Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
-
-**Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.
-
-- **On.** Starts Windows Search Indexer to index encrypted files.
-
-- **Off, or not configured.** Stops Windows Search Indexer from indexing encrypted files.
-
-## Encrypted file extensions
-
-You can restrict which files are protected by WIP when they're downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
-
-
-
-## Related articles
-
-- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-
-- [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms)
-
-- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](overview-create-wip-policy.md)
-
-- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
-
-- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
deleted file mode 100644
index 0269f73fe5..0000000000
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
-description: After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/05/2019
-ms.reviewer:
----
-
-# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-After you've created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-
-## To deploy your WIP policy
-
-1. On the **App protection policies** pane, click your newly created policy, click **Assignments**, and then select groups to include or exclude from the policy.
-
-2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
-
- The policy is deployed to the selected users' devices.
-
- 
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
-## Related topics
-
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
deleted file mode 100644
index 1660b49f10..0000000000
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
-description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
-ms.reviewer:
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 05/02/2019
----
-
-# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
-
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
-
-## Enlightened versus unenlightened apps
-Apps can be enlightened or unenlightened:
-
-- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
-- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
-
- - Windows Desktop shows it as always running in enterprise mode.
-
- - Windows **Save As** experiences only allow you to save your files as enterprise.
-
-- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
-
-## List of enlightened Microsoft apps
-Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
-- Microsoft 3D Viewer
-
-- Microsoft Edge
-
-- Internet Explorer 11
-
-- Microsoft People
-
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
-- Microsoft 365 Apps for enterprise apps, including Word, Excel, PowerPoint, OneNote, and Outlook
-
-- OneDrive app
-
-- OneDrive sync client (OneDrive.exe, the next generation sync client)
-
-- Microsoft Photos
-
-- Groove Music
-
-- Notepad
-
-- Microsoft Paint
-
-- Microsoft Movies & TV
-
-- Microsoft Messaging
-
-- Microsoft Remote Desktop
-
-- Microsoft To Do
-
-> [!NOTE]
-> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
-
-## List of WIP-work only apps from Microsoft
-Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
-
-- Skype for Business
-
-- Microsoft Teams (build 1.3.00.12058 and later)
-
-## Adding enlightened Microsoft apps to the allowed apps list
-
-> [!NOTE]
-> As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
-
-You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Configuration Manager.
-
-
-| Product name | App info |
-|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Microsoft 3D Viewer | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoft3DViewer
**App Type:** Universal app |
-| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
-| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
-| Excel Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
-| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
-| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
-| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.
We don't recommend setting up Office by using individual paths or publisher rules. |
-| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
-| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
-| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** iexplore.exe
**App Type:** Desktop app |
-| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** onedrive.exe
**App Type:** Desktop app |
-| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Microsoftskydrive
Product Version:Product version: 17.21.0.0 (and later)
**App Type:** Universal app |
-| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** notepad.exe
**App Type:** Desktop app |
-| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
-| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
-| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** fixmapi.exe
**App Type:** Desktop app |
-| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Todos
**App Type:** Store app |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
deleted file mode 100644
index f98f1a7125..0000000000
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: General guidance and best practices for Windows Information Protection (WIP)
-description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# General guidance and best practices for Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
-
-## In this section
-
-|Topic |Description |
-|------|------------|
-|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. |
-|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). |
-|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
deleted file mode 100644
index f30aaac954..0000000000
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: How to disable Windows Information Protection (WIP)
-description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Configuration Manager.
-ms.date: 07/21/2022
-ms.topic: how-to
-author: lizgt2000
-ms.author: lizlong
-ms.reviewer: aaroncz
-manager: aaroncz
----
-
-# How to disable Windows Information Protection (WIP)
-
-[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-## Use Intune to disable WIP
-
-To disable Windows Information Protection (WIP) using Intune, you have the following options:
-
-### Option 1 - Unassign the WIP policy (preferred)
-
-When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
-
-### Option 2 - Change current WIP policy to off
-
-If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Open Microsoft Intune and select **Apps** > **App protection policies**.
-1. Select the existing policy to turn off, and then select the **Properties**.
-1. Edit **Required settings**.
- :::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
-1. Set **Windows Information Protection mode** to off.
-1. After making this change, select **Review and Save**.
-1. Select **Save**.
-
-> [!NOTE]
-> **Another option is to create a disable policy that sets WIP to Off.**
->
-> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
-
-### Revoke local encryption keys during the unenrollment process
-
-Determine whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
-
-- Yes, or not configured. Revokes local encryption keys from a device during unenrollment.
-- No (recommended). Stop local encryption keys from being revoked from a device during unenrollment.
-
-## Use Configuration Manager to disable WIP
-
-To disable Windows Information Protection (WIP) using Configuration Manager, create a new configuration item that turns off WIP. Configure that new object for your environment to match the existing policy, except for disabling WIP. Then deploy the new policy, and move devices into the new collection.
-
-> [!WARNING]
-> Don't just delete your existing WIP policy. If you delete the old policy, Configuration Manager stops sending further WIP policy updates, but also leaves WIP enforced on the devices. To remove WIP from your managed devices, follow the steps in this section to create a new policy to turn off WIP.
-
-### Create a WIP policy
-
-To disable WIP for your organization, first create a configuration item.
-
-1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
-
-2. Select the **Create Configuration Item** button.
- The **Create Configuration Item Wizard** starts.
-
- 
-
-3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**.
-
-5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
-
-6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
-
-The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page.
-
-> [!TIP]
-> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
-
-#### Turn off WIP
-
-Of the four options to specify the restriction mode, select **Off** to turn off Windows Information Protection.
-
-:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
-
-#### Specify the corporate identity
-
-Paste the value of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
-
-
-> [!IMPORTANT]
-> This corporate identity value must match the string in the original policy. Copy and paste the string from your original policy that enables WIP.
-
-#### Specify the corporate network definition
-
-For the **Corporate network definition**, select **Add** to specify the necessary network locations. The **Add or edit corporate network definition** box appears. Add the required fields.
-
-> [!IMPORTANT]
-> These corporate network definitions must match the original policy. Copy and paste the strings from your original policy that enables WIP.
-
-#### Specify the data recovery agent certificate
-
-In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. This certificate should be the same as the original policy that enables WIP.
-
-
-
-### Deploy the WIP policy
-
-After you've created the new policy to turn off WIP, deploy it to your organization's devices. For more information about deployment options, see the following articles:
-
-- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
-
-- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
-
-- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
-
-- Move devices from the old collection to new collection.
diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png
deleted file mode 100644
index 12d4f6eefd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png b/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png
deleted file mode 100644
index 31f979f9f1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-a-mobile-app-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png b/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png
deleted file mode 100644
index 8522b463a7..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-a-protected-store-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png
deleted file mode 100644
index c702a0acff..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-protected-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png b/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png
deleted file mode 100644
index 848ff120a2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/add-protected-domains.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png b/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png
deleted file mode 100644
index 345093afc8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/create-app-protection-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png b/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png
deleted file mode 100644
index b33322202c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/create-new-path-rule.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/exempt-apps.png b/windows/security/information-protection/windows-information-protection/images/exempt-apps.png
deleted file mode 100644
index 59b0ebd268..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/exempt-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png b/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png
deleted file mode 100644
index eefe2c57d4..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/import-protected-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png
deleted file mode 100644
index 3f6a79c8d6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-before-begin.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png
deleted file mode 100644
index 901c861793..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-permissions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png
deleted file mode 100644
index 29f08e03f0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher-with-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png
deleted file mode 100644
index 42da98610a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-publisher.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png
deleted file mode 100644
index 38ba06d474..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-applocker-select-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png
deleted file mode 100644
index e5cb84a44e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png
deleted file mode 100644
index 56b27c2387..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-export.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png
deleted file mode 100644
index d794b8976c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin-updated.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png b/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png
deleted file mode 100644
index 492f3fc50a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-local-security-snapin.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png b/windows/security/information-protection/windows-information-protection/images/mobility-provider.png
deleted file mode 100644
index 280a0531dc..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/mobility-provider.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/path-condition.png b/windows/security/information-protection/windows-information-protection/images/path-condition.png
deleted file mode 100644
index 6aaf295bcc..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/path-condition.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/recommended-apps.png
deleted file mode 100644
index 658cbb343b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/recommended-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png b/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png
deleted file mode 100644
index 141e7a1819..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/robocopy-s-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/select-path.png b/windows/security/information-protection/windows-information-protection/images/select-path.png
deleted file mode 100644
index 0fd5274d45..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/select-path.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png
deleted file mode 100644
index 50440a4fc8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-default-rule-warning.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png
deleted file mode 100644
index 709ff73d25..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-1.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png
deleted file mode 100644
index 74497fd6ab..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-create.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png
deleted file mode 100644
index 1f5d20dffa..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png
deleted file mode 100644
index 0ced278421..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-1.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png
deleted file mode 100644
index e399d8aa66..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-2.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png
deleted file mode 100644
index 0ac48ca032..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-3.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png
deleted file mode 100644
index c924430a97..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-4.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png
deleted file mode 100644
index 4b5e707aec..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-wizard-5.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png
deleted file mode 100644
index 1d1aff1a0c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-desktop-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
deleted file mode 100644
index 34c89b37a9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png
deleted file mode 100644
index 59e2071bd8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-efsdra.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png
deleted file mode 100644
index 7fff387ab2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network-autodetect.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png
deleted file mode 100644
index 9fbe37d56d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-network.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png
deleted file mode 100644
index 785925efdf..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-advanced-settings-optional.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png
deleted file mode 100644
index 01489c8059..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-import-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png
deleted file mode 100644
index 752ea852ce..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-corp-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png
deleted file mode 100644
index 734f23b46c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-required-settings-protection-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
deleted file mode 100644
index 6f5e80d670..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
deleted file mode 100644
index 6cd571b404..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
deleted file mode 100644
index 5da4686e3f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
deleted file mode 100644
index 89c1eae2a8..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
deleted file mode 100644
index 49613b5587..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
deleted file mode 100644
index b2fc9ee966..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
deleted file mode 100644
index 8af8967001..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
deleted file mode 100644
index 940d60acf1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
deleted file mode 100644
index bee8ddfb1a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png
deleted file mode 100644
index f1cf7c107d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
deleted file mode 100644
index cc58cdb34a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png
deleted file mode 100644
index ab05d9607a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
deleted file mode 100644
index 2d6cadb5c6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
deleted file mode 100644
index f3d12e7f2f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
deleted file mode 100644
index 5cae0416bd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
deleted file mode 100644
index c09ff3cfc3..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png b/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png
deleted file mode 100644
index 8ec000d2a7..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-encrypted-file-extensions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png
deleted file mode 100644
index 09539d6773..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-app-info.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png
deleted file mode 100644
index 2393cc7eca..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-choose-store-or-desktop-app.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png
deleted file mode 100644
index 926a3c4473..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-select-column.png b/windows/security/information-protection/windows-information-protection/images/wip-select-column.png
deleted file mode 100644
index d4e8a9e7a0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-select-column.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png b/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png
deleted file mode 100644
index d69e829d65..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-taskmgr.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
deleted file mode 100644
index 783f627a5c..0000000000
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Limitations while using Windows Information Protection (WIP)
-description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: conceptual
-ms.date: 04/05/2019
----
-
-# Limitations while using Windows Information Protection (WIP)
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
-
-- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- - **How it appears**:
- - If you're using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
- - If you're not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
-
- - **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
-
- We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
-
-- **Limitation**: Direct Access is incompatible with Windows Information Protection.
- - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn't a corporate network resource.
- - **Workaround**: We recommend that you use VPN for client access to your intranet resources.
-
- > [!NOTE]
- > VPN is optional and isn't required by Windows Information Protection.
-
-- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
- - **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
-
-- **Limitation**: Cortana can potentially allow data leakage if it's on the allowed apps list.
- - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- - **Workaround**: We don't recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
-
-
-
-- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user's content can be revoked during the unenrollment process.
- - **Workaround**: Have only one user per managed device.
- - If this scenario occurs, it may be possible to mitigate. Once protection is disabled, a second user can remove protection by changing the file ownership. Although the protection is in place, the file remains accessible to the user.
-
-- **Limitation**: Installers copied from an enterprise network file share might not work properly.
- - **How it appears**: An app might fail to properly install because it can't read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
- - **Workaround**: To fix this, you can:
- - Start the installer directly from the file share.
-
- OR
-
- - Decrypt the locally copied files needed by the installer.
-
- OR
-
- - Mark the file share with the installation media as "personal". To do this, you'll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you'll need to put the file server on the Enterprise Proxy Server list.
-
-- **Limitation**: Changing your primary Corporate Identity isn't supported.
- - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
-
-- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
- - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
-
- > [!NOTE]
- > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
-
-- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- - **How it appears**:
- - Data copied from the WIP-managed device is marked as **Work**.
- - Data copied to the WIP-managed device is not marked as **Work**.
- - Local **Work** data copied to the WIP-managed device remains **Work** data.
- - **Work** data that is copied between two apps in the same session remains ** data.
-
- - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
-
-- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
-
-- **Limitation**: ActiveX controls should be used with caution.
- - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren't protected by using Windows Information Protection.
- - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
-
- For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
-
-- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
- - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- - **Workaround**: Format drive for NTFS, or use a different drive.
-
-- **Limitation**: Windows Information Protection isn't turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- - AppDataRoaming
- - Desktop
- - StartMenu
- - Documents
- - Pictures
- - Music
- - Videos
- - Favorites
- - Contacts
- - Downloads
- - Links
- - Searches
- - SavedGames
-
-
-
- - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Configuration Manager.
- - **Workaround**: Don't set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
-
- If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
-
- For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
-
-- **Limitation**: Only enlightened apps can be managed without device enrollment
- - **How it appears**: If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps.
-
- Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.
-
- - **Workaround**: If all apps need to be managed, enroll the device for MDM.
-
-- **Limitation**: By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
- - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
-
-- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
- - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
-
- 1. Close the notebook in OneNote.
- 2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
- 3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
-
- Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the "Open in app" button.
-
-- **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.
- - **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
- - **Workaround**: It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
-
-> [!NOTE]
->
-> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
->
-> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
deleted file mode 100644
index c849026e4b..0000000000
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
-description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 05/25/2022
----
-
-# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
-
-|Task|Description|
-|----|-----------|
-|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
-|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
-|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it's incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
-|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
-|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
-|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic.|
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
deleted file mode 100644
index 25099e224a..0000000000
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
-description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 02/26/2019
----
-
-# Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. It lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-
-## In this section
-
-|Article |Description |
-|------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Configuration Manager helps you create and deploy your WIP policy. And, lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
deleted file mode 100644
index 794a46361f..0000000000
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Create a Windows Information Protection (WIP) policy using Microsoft Intune
-description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/11/2019
----
-
-# Create a Windows Information Protection (WIP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy. It also lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-
-## In this section
-
-|Article |Description |
-|------|------------|
-|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
deleted file mode 100644
index 4135a203b8..0000000000
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Protect your enterprise data using Windows Information Protection
-description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.reviewer: rafals
-ms.topic: overview
-ms.date: 07/15/2022
----
-
-# Protect your enterprise data using Windows Information Protection (WIP)
-
-[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
-
-
-_Applies to:_
-
-- Windows 10
-- Windows 11
-
-With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Azure Rights Management, another data protection technology, also works alongside WIP. It extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
-
->[!IMPORTANT]
->While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more information about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
-
-## Video: Protect enterprise data from being accidentally copied to the wrong place
-
-> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
-
-## Prerequisites
-You'll need this software to run Windows Information Protection in your enterprise:
-
-|Operating system | Management solution |
-|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Configuration Manager
-OR-
Your current company-wide third party mobile device management (MDM) solution. For info about third party MDM solutions, see the documentation that came with your product. If your third party MDM doesn't have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
-
-## What is enterprise data control?
-Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security. Another extreme is when people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
-
-As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. So, access controls are a great start, they're not enough.
-
-In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
-
-### Using data loss prevention systems
-To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
-- **A set of rules about how the system can identify and categorize the data that needs to be protected.** For example, a rule set might contain a rule that identifies credit card numbers and another rule that identifies Social Security numbers.
-
-- **A way to scan company data to see whether it matches any of your defined rules.** Currently, Microsoft Exchange Server and Exchange Online provide this service for email in transit, while Microsoft SharePoint and SharePoint Online provide this service for content stored in document libraries.
-
-- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview Data Loss Prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-
-Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created. This behavior can lead employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. Perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow. It can stop some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
-
-### Using information rights management systems
-To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
-
-After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
-
-### And what about when an employee leaves the company or unenrolls a device?
-Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would erase all of the corporate data from the device, along with any other personal data on the device.
-
-## Benefits of WIP
-Windows Information Protection provides:
-- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
-
-- Additional data protection for existing line-of-business apps without a need to update the apps.
-
-- Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
-
-- Use of audit reports for tracking issues and remedial actions.
-
-- Integration with your existing management system (Microsoft Intune, Microsoft Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
-
-## Why use WIP?
-Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn't using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
- - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
-
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn't paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
- - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
-
- You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
-
- - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could have overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
-
- - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
-
- Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
-
- - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn't on your protected apps list, employees won't be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
-
- - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't.
-
-- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or if a device is stolen. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
-
- >[!NOTE]
- >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Configuration Manager.
Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
-
-## How WIP works
-Windows Information Protection helps address your everyday challenges in the enterprise. Including:
-
-- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-
-- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-
-- Helping to maintain the ownership and control of your enterprise data.
-
-- Helping control the network and data access and data sharing for apps that aren't enterprise aware
-
-### Enterprise scenarios
-Windows Information Protection currently addresses these enterprise scenarios:
-- You can encrypt enterprise data on employee-owned and corporate-owned devices.
-
-- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
-
-- You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
-
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn't required.
-
-### WIP-protection modes
-Enterprise data is automatically encrypted after it's loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-
-Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don't have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it's personally owned.
-
->[!NOTE]
->For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
-You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
-
-|Mode|Description|
-|----|-----------|
-|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.|
-|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would have been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.
(Replace "contoso" with your domain name(s)|
-|-----------------------------|---------------------------------------------------------------------|
-|Sharepoint Online |- `contoso.sharepoint.com`
- `contoso-my.sharepoint.com`
- `contoso-files.sharepoint.com` |
-|Viva Engage |- `www.yammer.com`
- `yammer.com`
- `persona.yammer.com` |
-|Outlook Web Access (OWA) |- `outlook.office.com`
- `outlook.office365.com`
- `attachments.office.net` |
-|Microsoft Dynamics |`contoso.crm.dynamics.com` |
-|Visual Studio Online |`contoso.visualstudio.com` |
-|Power BI |`contoso.powerbi.com` |
-|Microsoft Teams |`teams.microsoft.com` |
-|Other Office 365 services |- `tasks.office.com`
- `protection.office.com`
- `meet.lync.com`
- `project.microsoft.com` |
-
-You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
-
-For Office 365 endpoints, see [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges).
-Office 365 endpoints are updated monthly.
-Allow the domains listed in section number 46 "Allow Required" and add also add the apps.
-Note that apps from officeapps.live.com can also store personal data.
-
-When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add an entry for a second-level domain and use a wildcard such as .svc.ms.
-
-
-## Recommended Neutral Resources
-We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
-
-- `login.microsoftonline.com`
-- `login.windows.net`
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
deleted file mode 100644
index 30c94d76be..0000000000
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: Testing scenarios for Windows Information Protection (WIP)
-description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-ms.reviewer:
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/05/2019
----
-
-# Testing scenarios for Windows Information Protection (WIP)
-**Applies to:**
-
-- Windows 10, version 1607 and later
-
-We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-
-## Testing scenarios
-You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
-
->[!IMPORTANT]
->If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
-
-- **Encrypt and decrypt files using File Explorer**:
-
- 1. Open File Explorer, right-click a work document, and then click **Work** from the **File Ownership** menu.
-
- Make sure the file is encrypted by right-clicking the file again, clicking **Advanced** from the **General** tab, and then clicking **Details** from the **Compress or Encrypt attributes** area. The file should show up under the heading, **This enterprise domain can remove or revoke access:** `*
| July 2024 |
-| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
+| Legacy DRM services | Legacy DRM services, used by either Windows Media Player, Silverlight clients, Windows 7, or Windows 8 clients are deprecated. The following functionality won't work when these services are fully retired:
| September 2024 |
+| Paint 3D | Paint 3D is deprecated and will be removed from the Microsoft Store on November 4, 2024. To view and edit 2D images, you can use [Paint](https://apps.microsoft.com/detail/9pcfs5b6t72h) or [Photos](https://apps.microsoft.com/detail/9wzdncrfjbh4). For viewing 3D content, you can use [3D Viewer](https://apps.microsoft.com/detail/9nblggh42ths). For more information, see [Resources for deprecated features](deprecated-features-resources.md#paint-3d). | August 2024 |
+| Adobe Type1 fonts | Adobe PostScript Type1 fonts are deprecated and support will be removed in a future release of Windows. In January 2023, Adobe announced the [end of support for PostScript Type1 fonts](https://helpx.adobe.com/fonts/kb/postscript-type-1-fonts-end-of-support.html) for their latest software offerings. Remove any dependencies on this font type by selecting a supported font type. To display currently installed fonts, go to **Settings** > **Personalization** > **Fonts**. Application developers and content owners should test their apps and data files with the Adobe Type1 fonts removed. For more information, contact the application vendor or Adobe. | August 2024 |
+| DirectAccess | DirectAccess is deprecated and will be removed in a future release of Windows. We recommend [migrating from DirectAccess to Always On VPN](/windows-server/remote/remote-access/da-always-on-vpn-migration/da-always-on-migration-overview). | June 2024 |
| NTLM | All versions of [NTLM](/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | June 2024 |
-| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
+| Driver Verifier GUI (verifiergui.exe) | Driver Verifier GUI, verifiergui.exe, is deprecated and will be removed in a future version of Windows. You can use the [Verifier Command Line](/windows-hardware/drivers/devtest/verifier-command-line) (verifier.exe) instead of the Driver Verifier GUI.| May 2024 |
| NPLogonNotify and NPPasswordChangeNotify APIs | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits | Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
@@ -73,7 +75,7 @@ The features in this article are no longer being actively developed, and might b
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service was replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
-| Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
+| Windows Information Protection | [Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client.
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation command-line (WMIC) utility. | The WMIC utility is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This utility is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation applies to only the [command-line management utility](/windows/win32/wmisdk/wmic). WMI itself isn't affected. **[Update - January 2024]**: Currently, WMIC is a Feature on Demand (FoD) that's [preinstalled by default](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#wmic) in Windows 11, versions 23H2 and 22H2. In the next release of Windows, the WMIC FoD will be disabled by default. | 21H1 |
@@ -104,7 +106,7 @@ The features in this article are no longer being actively developed, and might b
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
|Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 |
-|Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work provided your clients are running an up-to-date version of: - Windows 11 - Windows 10, version 21H2, or later | 1709 |
+|Sync your settings (updated: July, 30, 2024) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. As part of this change, we will stop supporting the Device Syncing Settings and App Data report. All other **Sync your settings** options will continue to work provided your clients are running an up-to-date version of: - Windows 11 - Windows 10, version 21H2, or later | 1709 |
|System Image Backup (SIB) Solution|This feature is also known as the **Backup and Restore (Windows 7)** legacy control panel. For full-disk backup solutions, look for a third-party product from another software publisher. You can also use [OneDrive](/onedrive/) to sync data files with Microsoft 365.| 1709 |
|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 |
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index d51e184c00..586828841b 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -60,7 +60,9 @@
"Stacyrch140",
"garycentric",
"dstrome",
- "beccarobins"
+ "beccarobins",
+ "padmagit77",
+ "aditisrivastava07"
],
"searchScope": [
"Windows 10"
@@ -71,4 +73,4 @@
"dest": "win-whats-new",
"markdownEngineName": "markdig"
}
-}
\ No newline at end of file
+}
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 911043127c..f19e236cd4 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -16,7 +16,7 @@ metadata:
ms.author: aaroncz
manager: aaroncz
ms.date: 07/01/2024
- localization_priority: medium
+ ms.localizationpriority: medium
landingContent:
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 315ac95603..9c94a7e808 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -82,10 +82,7 @@ With the increase of employee-owned devices in the enterprise, there's also an i
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
-
-[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
+[Learn more about Windows Information Protection (WIP)](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
### Windows Defender
@@ -107,7 +104,7 @@ With the growing threat from more sophisticated targeted attacks, a new security
### VPN security
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Microsoft Entra ID, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 6e5084a543..9f16b31604 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -158,9 +158,9 @@ Improvements have been added to Windows Information Protection and BitLocker.
Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection.
-Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure).
+Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure).
-You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs).
+You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/collect-wip-audit-event-logs).
This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234).
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 62733bd8d1..a348f85ad3 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -60,7 +60,7 @@ To upgrade directly to Windows 11, eligible Windows 10 devices must meet both of
> [!NOTE]
>
> - S mode is only supported on the Home edition of Windows 11.
-> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode).
+> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/previous-versions/windows/it-pro/windows-10/deployment/s-mode/switch-edition-from-s-mode).
> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later.
## Feature-specific requirements