**-OR-**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 0b1edff4cd..9fe7dca247 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -37,8 +37,8 @@ current version of Internet Explorer. Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. ->[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. +> [!NOTE] +> If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. ## Internet Explorer 11 automatic upgrades @@ -52,14 +52,14 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + > [!NOTE] + > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + > [!NOTE] + > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). @@ -81,13 +81,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + > [!NOTE] + > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - >[!Note] - >The properties for this rule will resemble the following:
- When an update is in Update Rollups
- Approve the update for all computers
- When an update is in Update Rollups
- Approve the update for all computers
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index e63d79527c..7b0dd491aa 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -36,8 +36,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). - >[!Note] - >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + > [!NOTE] + > You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. 3. Open File Explorer and then open the **EMIEWebPortal/** folder. @@ -49,8 +49,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all 6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution. - >[!Note] - >Step 3 of this topic provides the steps to create your database. + > [!NOTE] + > Step 3 of this topic provides the steps to create your database. 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. @@ -109,8 +109,8 @@ Create a new Application Pool and the website, by using the IIS Manager. 9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. - >[!Note] - >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + > [!NOTE] + > You must also make sure that **Anonymous Authentication** is marked as **Enabled**. ## Step 3 - Create and prep your database Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. @@ -209,8 +209,8 @@ Register the EMIEScheduler tool and service for production site list changes. 1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. - >[!Important] - >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + > [!IMPORTANT] + > If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. 2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md index c5a68132d8..1f9a047156 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md +++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md @@ -85,8 +85,8 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern - Run the site in each document mode until you find the mode in which the site works. - >[!NOTE] - >You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. + > [!NOTE] + > You will need to make sure the User agent string dropdown matches the same browser version as the Document mode dropdown. For example, if you were testing to see if the site works in Internet Explorer 10, you should update the Document mode dropdown to 10 and the User agent string dropdown to Internet Explorer 10. - If you find a mode in which your site works, you will need to add the site domain, sub-domain, or URL to the Enterprise Mode Site List for the document mode in which the site works, or ask the IT administrator to do so. You can add the *x-ua-compatible* meta tag or HTTP header as well. @@ -116,8 +116,8 @@ If IE8 Enterprise Mode doesn't work, IE7 Enterprise Mode will give you the Compa If the site works, inform the IT administrator that the site needs to be added to the IE7 Enterprise Mode section.\ ->[!NOTE] ->Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. +> [!NOTE] +> Adding the same Web path to the Enterprise Mode and sections of the Enterprise Mode Site List will not work, but we will address this in a future update. ### Update the site for modern web standards diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md index 29c8de2486..744df8c766 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md @@ -28,8 +28,8 @@ ms.localizationpriority: medium Before you can use a site list with Enterprise Mode, you need to turn the functionality on and set up the system for centralized control. By allowing centralized control, you can create one global list of websites that render using Enterprise Mode. Approximately 65 seconds after Internet Explorer 11 starts, it looks for a properly formatted site list. If a new site list if found, with a different version number than the active list, IE11 loads and uses the newer version. After the initial check, IE11 won’t look for an updated list again until you restart the browser. ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. +> [!NOTE] +> We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it's stored locally on your employees' computers so if the centralized file location is unavailable, they can still use Enterprise Mode. **To turn on Enterprise Mode using Group Policy** @@ -63,9 +63,4 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) - - - - - diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md index 3a1f3b4596..14fcd048fc 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md @@ -46,14 +46,6 @@ For IE11, the UI has been changed to provide just the controls needed to support ## Where did the search box go? IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider. ->[!NOTE] ->Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). - - - - - - - - +> [!NOTE] +> Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md index 710c69e3cb..07e3ce2e2b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/using-ieak11-to-create-install-packages.md @@ -30,7 +30,7 @@ Before you begin, you should: - **Check the operating system requirements.** Check that the requirements for the computer you're building your installation package from, and the computers you're installing IE11 to, all meet the system requirements for IEAK 11 and IE11. For Internet Explorer requirements, see [System requirements and language support for Internet Explorer 11 (IE11)](system-requirements-and-language-support-for-ie11.md). For IEAK 11 requirements, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md). -- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, System Center System Center 2012 R2 Configuration Manager, or your network. +- **Decide on your distribution method.** Decide how to distribute your custom installation package: Windows Update, Microsoft Endpoint Configuration Manager, or your network. - **Gather URLs and branding and custom graphics.** Collect the URLs for your company's own **Home**, **Search**, and **Support** pages, plus any custom branding and graphic files for the browser toolbar button and the **Favorites** list icons. diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index 98f659748d..4f1c56a922 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -29,8 +29,8 @@ ms.date: 05/10/2018 The Internet Explorer 11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the **Automatic Updates** feature of Windows Update. ->[!IMPORTANT] ->The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. +> [!IMPORTANT] +> The IE11 Blocker Toolkit does not stop users from manually installing IE11 from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?linkid=327753). Also, even if you have installed previous versions of the toolkit before, like for Internet Explorer 10, you still need to install this version to prevent the installation of IE11. ## Install the toolkit @@ -69,13 +69,13 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - >[!NOTE] + > [!NOTE] >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. ->[!NOTE] ->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. +> [!NOTE] +> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. ### Prevent automatic installation of Internet Explorer 11 with WSUS @@ -90,13 +90,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - >[!NOTE] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + > [!NOTE] + > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - >[!NOTE] - >The properties for this rule will resemble the following:
- When an update is in Update Rollups
- Approve the update for all computers
- When an update is in Update Rollups
- Approve the update for all computers
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index 7b0db0bbc4..9ae559b4b4 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -98,14 +98,14 @@ Pressing the **F1** button on the **Automatic Version Synchronization** page of ## Certificate installation does not work on IEAK 11 IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). ->[!NOTE] ->This applies only when using the External licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the External licensing mode of IEAK 11. ## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. ->[!NOTE] ->This applies only when using the Internal licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the Internal licensing mode of IEAK 11. To work around this issue, run the customization wizard following these steps: 1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 5e8b4e979e..06b86bce15 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -32,8 +32,8 @@ IEAK 10 and newer includes the ability to install using one of the following ins - Internal - External ->[!NOTE] ->IEAK 11 works in network environments, with or without Microsoft Active Directory service. +> [!NOTE] +> IEAK 11 works in network environments, with or without Microsoft Active Directory service. ### Corporations diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index 03bed1bfc3..8cc17b758c 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -1,5 +1,5 @@ --- -title: Frequently asked questions about HoloLens and holograms +title: Frequently asked questions about HoloLens devices and holograms description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources. keywords: hololens, faq, known issue, help ms.prod: hololens @@ -9,130 +9,134 @@ ms.author: v-tea ms.topic: article audience: ITPro ms.localizationpriority: medium -ms.date: 10/30/2019 +ms.date: 02/27/2020 ms.reviewer: +ms.custom: +- CI 114606 +- CSSTroubleshooting manager: jarrettr appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# HoloLens and holograms: Frequently asked questions +# Frequently asked questions about HoloLens devices and holograms -Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more. +This article answers some questions that you may have about how to use HoloLens, including how to place holograms, work with spaces, and more. -Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md). +Any time that you have problems, make sure that HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see whether that fixes things. And please use the Feedback app to send us information about the issue. You'll find the Feedback app on the [**Start** menu](holographic-home.md). -For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq). +For tips about hwo to wear your HoloLens, see [HoloLens (1st gen) fit and comfort frequently asked questions](hololens1-fit-comfort-faq.md). -This FAQ addresses the following questions and issues: +This article addresses the following questions and issues: - [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around) - [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space) -- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space) -- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want) +- [I'm not seeing the holograms that I expect to see in my space](#im-not-seeing-the-holograms-that-i-expect-to-see-in-my-space) +- [I can't place holograms where I want to](#i-cant-place-holograms-where-i-want-to) - [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects) - [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall) -- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float) +- [When I place a hologram on a wall, the hologram seems to float](#when-i-place-a-hologram-on-a-wall-the-hologram-seems-to-float) - [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them) - [I'm getting a low disk space error](#im-getting-a-low-disk-space-error) - [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures) - [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice) - [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device) -- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) +- [HoloLens Settings lists devices as available, but the devices don't work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work) +- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) -- [HoloLens Management Questions](#hololens-management-questions) -- [HoloLens Security Questions](#hololens-security-questions) +- [I can't sign in to a HoloLens device because it was previously set up for someone else](#i-cant-sign-in-to-a-hololens-device-because-it-was-previously-set-up-for-someone-else) +- [Questions about managing HoloLens devices](#questions-about-managing-hololens-devices) +- [Questions about securing HoloLens devices](#questions-about-securing-hololens-devices) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) -- [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else) ## My holograms don't look right or are moving around If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes: - [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors. -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Try walking around and gazing at your surroundings so HoloLens can scan them more completely. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Try walking around and gazing at your surroundings so that HoloLens can scan them more completely. - If you've placed a lot of holograms, try removing some. -If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**. +If you're still having problems, trying running the Calibration app. This app calibrates your HoloLens just for you to help keep your holograms looking their best. To do this, go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. [Back to list](#list) -## I see a message that says Finding your space +## I see a message that says "Finding your space" -When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." +When HoloLens is learning or loading a space, you may see a brief message that says "Finding your space." If this message displays for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." -These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment. +These messages mean that HoloLens is having trouble mapping your space. When this happens, you can open apps, but you can't place holograms in your environment. -If you see these messages often, try the following: +If you see these messages often, try one or more of the following fixes: -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning). -- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Make sure that your device visor is clean. [Learn how to clean your visor](hololens1-hardware.md#care-and-cleaning). +- Make sure that you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak Wi-Fi signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings** > **Network & Internet** > **Wi-Fi**. - Try moving more slowly. [Back to list](#list) -## I'm not seeing the holograms I expect to see in my space +## I'm not seeing the holograms that I expect to see in my space -If you don't see holograms you placed, or you're seeing some you don't expect, try the following: +If you don't see the holograms that you placed, or if you're seeing some that you don't expect, try one or more of the following fixes: -- Try turning on some lights. HoloLens works best in a well-lit space. -- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. +- Turn on some lights. HoloLens works best in a well-lit space. +- Remove holograms that you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. > [!NOTE] > If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms. [Back to list](#list) -## I can't place holograms where I want +## I can't place holograms where I want to Here are some things to try if you're having trouble placing holograms: -- Stand about 1 to 3 meters from where you're trying to place the hologram. +- Stand between one and three meters from where you're trying to place the hologram. - Don't place holograms on black or reflective surfaces. -- Make sure you're in a well-lit room without a lot of direct sunlight. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. - Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic. [Back to list](#list) ## Holograms disappear or are encased in other holograms or objects -If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few. +If you get too close to a hologram, it will temporarily disappear—to restore the hologram, just move away from it. Also, if you've placed several holograms close together, some may disappear. Try removing a few. -Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following: +Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following fixes: -- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it. +- If the hologram is encased in another hologram, move the encased hologram to another location. To do this, select **Adjust**, then tap and hold to position it. - If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall. -- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location. +- If you can't move the hologram by using gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen the hologram and place it in a new location. [Back to list](#list) ## I can see holograms that are on the other side of a wall -If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it. +If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you can see holograms that are in the next room. To scan the wall, stand between one and three meters from the wall and gaze at it. -If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall. +A black or reflective object (for example, a black couch or a stainless steel refrigerator) near the wall may cause problems when HoloLens tries to scan the wall. If there is such an object, scan the other side of the wall. [Back to list](#list) -## When I place a hologram on a wall, it seems to float +## When I place a hologram on a wall, the hologram seems to float -Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following: +A hologram that you place on a wall typically appears to be an inch or so away from the wall. If it appears to be farther away, try one or more of the following fixes: -- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on. -- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again. +- When you place a hologram on a wall, stand between one and three meters from the wall and face the wall straight on. +- Air tap the wall to reveal the mapping mesh graphic. Make sure that the mesh aligns with the wall. If it doesn't, remove the hologram, rescan the wall, and then try again. - If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**. [Back to list](#list) ## Apps appear too close to me when I'm trying to move them -Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. +Try walking around and looking at the area where you're placing the app so that HoloLens scans the area from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. [Back to list](#list) @@ -140,21 +144,38 @@ Try walking around and looking at the area where you're placing the app so HoloL Free up some storage space by doing one or more of the following: -- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) +- Remove some of the holograms that you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) - Delete some pictures and videos in the Photos app. -- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) +- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, then select **Uninstall**. (Uninstalling the app also deletes any data that the app stores on the device.) [Back to list](#list) ## HoloLens doesn't respond to my gestures -To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). +To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). [Back to list](#list) ## HoloLens doesn't respond to my voice -If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). +HoloLens (1st gen) and HoloLens 2 have built-in speech recognition, and also support Cortana (online speech recognition). + +### Built-in voice commands do not work + +On HoloLens (1st gen), built-in speech recognition is not configurable. It is always turned on. On HoloLens 2, you can choose whether to turn on both speech recognition and Cortana during device setup. + +If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**. + +### Cortana or Dictation doesn't work + +If Cortana or Dictation isn't responding to your voice, make sure online speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings. + +If Cortana is still not responding, do one of the following to verify that Cortana itself is turned on: + +- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes. +- On HoloLens 2, select the **Speech settings** button or say "Speech settings." + +To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). [Back to list](#list) @@ -162,42 +183,46 @@ If Cortana isn't responding to your voice, make sure Cortana is on. In the **All If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following: -- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again. -- Make sure your Bluetooth device is fully charged or has fresh batteries. -- If you still can't connect, [restart your HoloLens](hololens-recovery.md). - -If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include: - -- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard. -- Bluetooth mice. -- The [HoloLens clicker](hololens1-clicker.md). - -Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens. - -HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. +- Go to **Settings** > **Devices**, and make sure that Bluetooth is turned on. If it is, turn it off and on again. +- Make sure that your Bluetooth device is fully charged or has fresh batteries. +- If you still can't connect, [restart the HoloLens](hololens-recovery.md). [Back to list](#list) -## I'm having problems with the HoloLens clicker +## HoloLens Settings lists devices as available, but the devices don't work -Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app. +HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. -If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). +If you're having trouble using a Bluetooth device, make sure that it's a supported device. Supported devices include the following: + +- English-language QWERTY Bluetooth keyboards (you can use these anywhere that you use the holographic keyboard). +- Bluetooth mice. +- The [HoloLens clicker](hololens1-clicker.md). + +You can pair other Bluetooth HID and GATT devices together with your HoloLens. However, you may have to install corresponding companion apps from Microsoft Store to actually use the devices. + +[Back to list](#list) + +## I'm having problems using the HoloLens clicker + +Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures. + +If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. -If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). +If resetting the clicker doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). [Back to list](#list) ## I can't connect to Wi-Fi -Here are some things to try if you can't connect to Wi-Fi on HoloLens: +Here are some things to try if you can't connect your HoloLens to a Wi-Fi network: -- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again. +- Make sure that Wi-Fi is turned on. To check, use the Start gesture, then select **Settings** > **Network & Internet** > **Wi-Fi**. If Wi-Fi is on, try turning it off and then on again. - Move closer to the router or access point. - Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again. -- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website. +- If none of these things work, check to make sure that your router is using the latest firmware. You can find this information on the manufacturer website. [Back to list](#list) @@ -207,35 +232,51 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) +## I can't sign in to a HoloLens device because it was previously set up for someone else -## I can't log in to a HoloLens because it was previously set up for someone else +If your device was previously set up for someone else, either for a client or for a former employee, and you don't have their password to unlock the device, you can do one of the following: -If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions. -- If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked. -- If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device. +- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself. + > [!IMPORTANT] + > When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked. +- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device. [Back to list](#list) -## HoloLens Management Questions +## Questions about managing HoloLens devices -1. **Can I use SCCM to manage the HoloLens?** - 1. No. An MDM must be used to manage the HoloLens -1. **Can I use Active Directory to manage HoloLens user accounts?** - 1. No, Azure AD must be used to manage user accounts. -1. **Is the HoloLens capable of ADCS auto enrollment?** - 1. No -1. **Can the HoloLens participate in WNA/IWA?** - 1. No -1. **Does the HoloLens support branding?** - 1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios) -1. **What logging capabilities are available on HL1 and HL2?** - 1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers. +### Can I use System Center Configuration Manager (SCCM) to manage HoloLens devices? + +No. You have to use an MDM system to manage HoloLens devices. + +### Can I use Active Directory Domain Services (AD DS) to manage HoloLens user accounts? + +No. You have to use Azure Active Directory (AAD) to manage user accounts for HoloLens devices. + +### Is HoloLens capable of Automated Data Capture Systems (ADCS) auto-enrollment? + +No. + +### Can HoloLens participate in Integrated Windows Authentication? + +No. + +### Does HoloLens support branding? + +No. However, you can work around this issue by using one of the following approaches: + +- Create a custom app, and then [enable Kiosk mode](hololens-kiosk.md). The custom app can have branding, and can launch other apps (such as Remote Assist). +- Change all of the user profile pictures in AAD to your company logo. However, this may not be desirable for all scenarios. + +### What logging capabilities do HoloLens (1st gen) and HoloLens 2 offer? + +Logging is limited to traces that can be captured in development or troubleshooting scenarios, or telemetry that the devices send to Microsoft servers. [Back to list](#list) -## HoloLens Security Questions +## Questions about securing HoloLens devices -Frequently asked security questions can be found [here](hololens-faq-security.md). +See [frequently asked questions about securing HoloLens devices](hololens-faq-security.md). [Back to list](#list) diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 476398d791..98ec5c6e06 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -65,8 +65,8 @@ Guides only require network access to download and use the app. ## Azure Active Directory Guidance ->[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens. +> [!NOTE] +> This step is only necessary if your company plans on managing the HoloLens. 1. Ensure that you have an Azure AD License. Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information. @@ -100,8 +100,9 @@ These steps ensure that your company’s users (or a group of users) can add dev ### Ongoing device management ->[!NOTE] ->This step is only necessary if your company plans to manage the HoloLens. +> [!NOTE] +> This step is only necessary if your company plans to manage the HoloLens. + Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. 1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). @@ -151,8 +152,8 @@ Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/cer ### How to Upgrade to Holographics for Business Commercial Suite ->[!NOTE] ->Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices. +> [!NOTE] +> Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices. Directions for upgrading to the commercial suite can be found [here](https://docs.microsoft.com/intune/configuration/holographic-upgrade). diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 82ded27dd3..05d9a46105 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -36,8 +36,8 @@ Get around HoloLens faster with these basic commands. In order to use these you Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” ->[!NOTE] ->Hand rays are not supported on HoloLens (1st Gen). +> [!NOTE] +> Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 6c8b9118e6..af44d41fb3 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -51,22 +51,22 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. Find the XML license file that was provided when you purchased the Commercial Suite. 1. Browse to and select the XML license file that was provided when you purchased the Commercial Suite. - >[!NOTE] - >You can configure [additional settings in the provisioning package](hololens-provisioning.md). + > [!NOTE] + > You can configure [additional settings in the provisioning package](hololens-provisioning.md). 1. On the **File** menu, click **Save**. 1. Read the warning explaining that project files may contain sensitive information and click **OK**. - >[!IMPORTANT] - >When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed. + > [!IMPORTANT] + > When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed. 1. On the **Export** menu, click **Provisioning package**. 1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**. 1. Set a value for **Package Version**. - >[!TIP] - >You can make changes to existing packages and change the version number to update previously applied packages. + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. 1. On the **Select security details for the provisioning package**, click **Next**. 1. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. @@ -87,8 +87,8 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. 1. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. ->[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +> [!NOTE] +> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. ## Verify device encryption diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index dc042a0f9f..c8b54ac1f2 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -20,8 +20,8 @@ appliesto: You can manage multiple Microsoft HoloLens devices simultaneously using solutions like [Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business). You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). ->[!NOTE] ->Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). +> [!NOTE] +> Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). ## Requirements diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index c5b4546772..5adbb7b0ca 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -45,8 +45,8 @@ To opt out of Insider builds: Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. ->[!NOTE] ->Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). +> [!NOTE] +> Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). ## Note for developers diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index ae870f5847..e895069d36 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -27,15 +27,15 @@ Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Single-app kiosk |  |  |  |  Multi-app kiosk |  |  with **Home** and **Volume** (default)
Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.
Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. |  if the Camera app is enabled in the kiosk configuration. |  if the Camera app and device picker app are enabled in the kiosk configuration. ->[!NOTE] ->Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. +> [!NOTE] +> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. ->[!WARNING] ->The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. +> [!WARNING] +> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. > ->Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. +> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: - You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. @@ -48,15 +48,15 @@ For HoloLens devices running Windows 10, version 1607, you can [use the Windows If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. ->[!NOTE] ->Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. +> [!NOTE] +> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. ### Start layout file for MDM (Intune and others) Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). ->[!NOTE] ->If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). +> [!NOTE] +> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). ```xml
+ 
### Auto registration — Azure Active Directory Affiliated @@ -44,17 +44,31 @@ For additional supported CSPs, see [Surface Hub CSPs in Windows 10](https://docs ## Quality of Service (QoS) settings -To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. The settings are identical for Skype for Business and Teams. +To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. + +### Microsoft Teams QoS settings |**Name**|**Description**|**OMA-URI**|**Type**|**Value**| |:------ |:------------- |:--------- |:------ |:------- | -|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | +|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String | 3478-3479 | |**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | +|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String | 3480 | |**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | + +### Skype for Business QoS settings + +| Name | Description | OMA-URI | Type | Value | +| ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ | +| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | +| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | +| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | +| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | +| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | + > [!NOTE] -> These are the default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. +> Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. ## Microsoft Teams Mode settings diff --git a/devices/surface-hub/surface-hub-2s-pen-firmware.md b/devices/surface-hub/surface-hub-2s-pen-firmware.md new file mode 100644 index 0000000000..ce16a5cad3 --- /dev/null +++ b/devices/surface-hub/surface-hub-2s-pen-firmware.md @@ -0,0 +1,67 @@ +--- +title: "Update pen firmware on Surface Hub 2S" +description: "This page describes how to update firmware for the Surface Hub 2 pen." +keywords: separate values with commas +ms.prod: surface-hub +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +manager: laurawi +audience: Admin +ms.topic: article +ms.date: 02/26/2020 +ms.localizationpriority: Medium +--- + +# Update pen firmware on Surface Hub 2S + +You can update firmware on Surface Hub 2 pen from Windows Update for Business or by downloading the firmware update to a separate PC. Updated firmware is available from Windows Update beginning February 26, 2020. + +## Update pen firmware using Windows Update for Business + +This section describes how to update pen firmware via the automated maintenance cycles for Windows Update, configured by default to occur nightly at 3 a.m. You will need to plan for two maintenance cycles to complete before applying the update to the Surface Hub 2 pen. Alternately, like any other update, you can use Windows Server Update Services (WSUS) to apply the pen firmware. For more information, see [Managing Windows updates on Surface Hub](manage-windows-updates-for-surface-hub.md). + +1. Ensure the Surface Hub 2 pen is paired to Surface Hub 2S: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On Surface Hub, login as an Admin, open **Settings**, and then scan for new Bluetooth devices. +3. Select the pen to complete the pairing process. +4. Press the **top** button on the pen to apply the update. It may take up to two hours to complete. + +## Update pen firmware by downloading to separate PC + +You can update the firmware on Surface Hub 2 pen from a separate PC running Windows 10. This method also enables you to verify that the pen firmware has successfully updated to the latest version. + +1. Pair the Surface Hub 2 pen to your Bluetooth-capable PC: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On the PC, scan for new Bluetooth devices. +3. Select the pen to complete the pairing process. +4. Disconnect all other Surface Hub 2s pens before starting a new update. +3. Download the [Surface Hub 2 Pen Firmware Update Tool](https://download.microsoft.com/download/8/3/F/83FD5089-D14E-42E3-AF7C-6FC36F80D347/Pen_Firmware_Tool.zip) to your PC. +4. Run **PenCfu.exe.** The install progress is displayed in the tool. It may take several minutes to finish updating. + + +## Check firmware version of Surface Hub 2 pen + +1. Run **get_version.bat** and press the **top** button on the pen. +2. The tool will report the firmware version of the pen. Example: + - Old firmware is 468.2727.368 + - New firmware is 468.2863.369 + +## Command line options + +You can run Surface Hub 2 Pen Firmware Update Tool (PenCfu.exe) from the command line. + +1. Pair the pen to your PC and click the **top** button on the pen. +2. Double click **PenCfu.exe** to initiate the firmware update. Note that the configuration file and the firmware image files must be stored in the same folder as the tool. +3. For additional options, run **PenCfu.exe -h** to display the available parameters, as listed in the following table. + - Example: PenCfu.exe -h +4. Enter **Ctrl+C** to safely shut down the tool. + + + +| **Command** | **Description** | +| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| -h help | Display tool command line interface help and exit. | +| -v version | Display tool version and exit. | +| -l log-filter | Set a filter level for the log file. Log messages have 4 possible levels: DEBUG (lowest), INFO, WARNING and ERROR (highest). Setting a log filter level filters log messages to only message with the same level or higher. For example, if the filter level is set to WARNING, only WARNING and ERROR messages will be logged. By default, this option is set to OFF, which disables logging. | +| -g get-version | If specified, the tool will only get the FW version of the connected pen that matches the configuration file that is stored in the same folder as the tool. \ No newline at end of file diff --git a/devices/surface/images/manage-surface-uefi-fig4.png b/devices/surface/images/manage-surface-uefi-fig4.png index e956cefeaf..480b1d7f46 100644 Binary files a/devices/surface/images/manage-surface-uefi-fig4.png and b/devices/surface/images/manage-surface-uefi-fig4.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig5-a.png b/devices/surface/images/manage-surface-uefi-fig5-a.png new file mode 100644 index 0000000000..7605291e93 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5-a.png differ diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 9932a573bc..1a6d09a545 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -1,5 +1,5 @@ --- -title: Manage Surface UEFI settings (Surface) +title: Manage Surface UEFI settings description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. keywords: firmware, security, features, configure, hardware ms.localizationpriority: medium @@ -10,7 +10,7 @@ ms.pagetype: devices, surface author: dansimp ms.author: dansimp ms.topic: article -ms.date: 07/27/2017 +ms.date: 02/26/2020 ms.reviewer: manager: dansimp --- @@ -61,7 +61,11 @@ You can find up-to-date information about the latest firmware version for your S ## UEFI Security page -The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): + + +*Figure 2. Configure Surface UEFI security settings* + +The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 3): - Uppercase letters: A-Z @@ -75,19 +79,20 @@ The password must be at least 6 characters and is case sensitive.  -*Figure 2. Add a password to protect Surface UEFI settings* +*Figure 3. Add a password to protect Surface UEFI settings* -On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. +On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 4. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.  -*Figure 3. Configure Secure Boot* +*Figure 4. Configure Secure Boot* -You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. +Depending on your device, you may also be able to see if your TPM is enabled or disabled. If you do not see the **Enable TPM** setting, open tpm.msc in Windows to check the status, as shown in Figure 5. The TPM is used to authenticate encryption for your device’s data with BitLocker. To learn more, see [BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). - + + +*Figure 5. TPM console* -*Figure 4. Configure Surface UEFI security settings* ## UEFI menu: Devices @@ -107,11 +112,11 @@ The Devices page allows you to enable or disable specific devices and component - Onboard Audio (Speakers and Microphone) -Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. +Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 6.  -*Figure 5. Enable and disable specific devices* +*Figure 6. Enable and disable specific devices* ## UEFI menu: Boot configuration @@ -127,11 +132,11 @@ The Boot Configuration page allows you to change the order of your boot devices You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the **Volume Down** button and the **Power** button simultaneously. -For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. +For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 7.  -*Figure 6. Configure the boot order for your Surface device* +*Figure 7. Configure the boot order for your Surface device* You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. @@ -139,7 +144,7 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.  -*Figure 7. Manage access to Zero Touch UEFI Management and other features* +*Figure 8. Manage access to Zero Touch UEFI Management and other features* Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**. @@ -151,11 +156,11 @@ For more information, refer to [Intune management of Surface UEFI settings](surf ## UEFI menu: Exit -Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 9.  -*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* +*Figure 9. Click Restart Now to exit Surface UEFI and restart the device* ## Surface UEFI boot screens @@ -163,44 +168,44 @@ When you update Surface device firmware, by using either Windows Update or manua  -*Figure 9. The Surface UEFI firmware update displays a blue progress bar* +*Figure 10. The Surface UEFI firmware update displays a blue progress bar*  -*Figure 10. The System Embedded Controller firmware update displays a green progress bar* +*Figure 11. The System Embedded Controller firmware update displays a green progress bar*  -*Figure 11. The SAM Controller firmware update displays an orange progress bar* +*Figure 12. The SAM Controller firmware update displays an orange progress bar*  -*Figure 12. The Intel Management Engine firmware update displays a red progress bar* +*Figure 13. The Intel Management Engine firmware update displays a red progress bar*  -*Figure 13. The Surface touch firmware update displays a gray progress bar* +*Figure 14. The Surface touch firmware update displays a gray progress bar*  -*Figure 14. The Surface KIP firmware update displays a light green progress bar* +*Figure 15. The Surface KIP firmware update displays a light green progress bar*  -*Figure 15. The Surface ISH firmware update displays a light pink progress bar* +*Figure 16 The Surface ISH firmware update displays a light pink progress bar*  -*Figure 16. The Surface Trackpad firmware update displays a pink progress bar* +*Figure 17. The Surface Trackpad firmware update displays a pink progress bar*  -*Figure 17. The Surface TCON firmware update displays a light gray progress bar* +*Figure 18. The Surface TCON firmware update displays a light gray progress bar*  -*Figure 18. The Surface TPM firmware update displays a purple progress bar* +*Figure 19. The Surface TPM firmware update displays a purple progress bar* >[!NOTE] @@ -208,7 +213,7 @@ When you update Surface device firmware, by using either Windows Update or manua  -*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* +*Figure 20. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* ## Related topics diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index df3918d715..a64fb3cc4f 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -7,7 +7,6 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 06/11/2019 ms.reviewer: cottmca manager: dansimp ms.localizationpriority: medium @@ -34,7 +33,8 @@ Before you run the diagnostic tool, make sure you have the latest Windows update 2. Select Run and follow the on-screen instructions. For full details, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. -# If you still need help + +## If you still need help If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also: diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index aac758fa29..e872ddc649 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,6 +1,6 @@ --- title: Microsoft Surface Dock Firmware Update -description: This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device. +description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage @@ -11,6 +11,7 @@ ms.topic: article ms.reviewer: scottmca manager: dansimp ms.audience: itpro +ms.date: 02/07/2020 --- # Microsoft Surface Dock Firmware Update @@ -32,17 +33,19 @@ This section is optional and provides an overview of how to monitor installation To monitor the update: 1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**. + 2. Type the following command at an elevated command prompt: - ```cmd - Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" - ``` + ```cmd + Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" + ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. + 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. + - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: - - Component10CurrentFwVersion 0x04ac3970 (78395760) - - Component20CurrentFwVersion 0x04915a70 (76634736) + - Component10CurrentFwVersion 0x04ac3970 (78395760) + - Component20CurrentFwVersion 0x04915a70 (76634736) >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. @@ -52,8 +55,8 @@ To monitor the update: This section describes how to install the firmware update. 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. 2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. @@ -68,10 +71,10 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart ``` -> [!NOTE] -> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \
From a recovery partition
Lets you boot into DaRT without needing a CD, DVD, or UFD that includes instances in which there is no network connectivity.
-Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as System Center Configuration Manager.
Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as Microsoft Endpoint Configuration Manager.
When updating DaRT, requires you to update all computers in your enterprise instead of just one partition (on the network) or device (CD, DVD, or UFD).
For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 2855e4cd43..0c9d5e23e1 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -51,7 +51,7 @@ The private store for your organization is a page in Microsoft Store app that co  -## Troubleshooting Microsoft Store for Business integration with System Center Configuration Manager +## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w). diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index eb84b6e2b7..2e77179b7c 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -48,7 +48,7 @@ For detailed instructions on how to create virtual application packages using Ap You can deploy Office 2010 packages by using any of the following App-V deployment methods: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V server * Stand-alone through Windows PowerShell commands diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 6fa996507f..40175562d2 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -246,7 +246,7 @@ Use the following information to publish an Office package. Deploy the App-V package for Office 2013 by using the same methods you use for any other package: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V Server * Stand-alone through Windows PowerShell commands @@ -284,10 +284,10 @@ Use the steps in this section to enable Office plug-ins with your Office package #### To enable plug-ins for Office App-V packages -1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Office 365 ProPlus (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. 3. Create an App-V package that includes the desired plug-ins. -4. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created. >[!IMPORTANT] diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ce7303bbf8..8f016604df 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -230,7 +230,7 @@ Use the following information to publish an Office package. Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V Server * Stand-alone through Windows PowerShell commands @@ -267,10 +267,10 @@ The following steps will tell you how to enable Office plug-ins with your Office #### Enable plug-ins for Office App-V packages -1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Office 365 ProPlus (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins. 3. Create an App-V package that includes the plug-ins you want. -4. Add a Connection Group through the App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. >[!IMPORTANT] diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 7c682239c3..49e7266314 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -16,7 +16,7 @@ ms.topic: article >Applies to: Windows 10, version 1607 -If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with System Center Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv). +If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv). Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages: diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 3befc157bd..b1a6caca2c 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use System Center Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 2dce846fd9..a39eca9e4d 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -117,9 +117,9 @@ The following table lists the operating systems that the App-V Sequencer install See the Windows or Windows Server documentation for the hardware requirements. -## Supported versions of System Center Configuration Manager +## Supported versions of Microsoft Endpoint Configuration Manager -The App-V client works with System Center Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. +The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. ## Related topics diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index d176e86059..cab2bb9669 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -16,7 +16,7 @@ ms.topic: article > Applies to: Windows 10 -When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence). +When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/revise-and-supersede-applications#application-supersedence). There are two steps to deploy an app upgrade: @@ -58,4 +58,4 @@ You don't need to delete the deployment associated with the older version of the  -If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. +If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with Microsoft Endoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png index 8681e2fb39..2ce9cd411e 100644 Binary files a/windows/application-management/media/app-upgrade-cm-console.png and b/windows/application-management/media/app-upgrade-cm-console.png differ diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 3afcb4da3f..54f8565c87 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -69,7 +69,7 @@ In organizations that have integrated Active Directory and Azure AD, you can con - Password - Smartcards -- Windows Hello for Business, if the domain is managed by System Center Configuration Manager +- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using: diff --git a/windows/client-management/images/windows-10-management-range-of-options.png b/windows/client-management/images/windows-10-management-range-of-options.png index e4de546709..c37b489954 100644 Binary files a/windows/client-management/images/windows-10-management-range-of-options.png and b/windows/client-management/images/windows-10-management-range-of-options.png differ diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index fad72959e6..7d344924f1 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -42,7 +42,7 @@ You can use the same management tools to manage all device types running Windows ## Learn more -[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) +[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index c6fe7134c8..45de1ade9b 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -21,7 +21,7 @@ Use of personal devices for work, as well as employees working outside the offic Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. @@ -46,7 +46,7 @@ Windows 10 offers a range of management options, as shown in the following diagr
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
@@ -57,7 +57,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can
- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
-- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
@@ -86,7 +86,7 @@ You can envision user and device management as falling into these two categories
- Windows Hello
- Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
+ Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction) client or Group Policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
@@ -100,7 +100,7 @@ Your configuration requirements are defined by multiple factors, including the l
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
-**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
@@ -128,10 +128,10 @@ There are a variety of steps you can take to begin the process of modernizing de
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
-- [Co-management for Windows 10 devices](https://docs.microsoft.com/sccm/core/clients/manage/co-management-overview)
-- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/sccm/core/clients/manage/co-management-prepare)
-- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/sccm/core/clients/manage/co-management-switch-workloads)
-- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/co-management-dashboard)
+- [Co-management for Windows 10 devices](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-overview)
+- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-prepare)
+- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-switch-workloads)
+- [Co-management dashboard in Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 7c1c0a5050..cd4c993d17 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -15,7 +15,7 @@ manager: dansimp
## Executive summary
-Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
+Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 0a9fa5c02f..24d475d6e4 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -31,7 +31,7 @@ For personal devices (BYOD): ### Azure AD Join -Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. +Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index aab7f8755b..1ed78230d4 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 06/26/2017 +ms.date: 02/28/2020 --- # CertificateStore CSP @@ -144,7 +144,13 @@ Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) f Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/SubjectName** -Required. Specifies the subject name. Value type is chr. +Required. Specifies the subject name. + +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). + +For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + +Value type is chr. Supported operations are Get, Add, Delete, and Replace. diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 41612181c5..8837ad757e 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/16/2018 +ms.date: 02/28/2020 --- # ClientCertificateInstall CSP @@ -29,32 +29,32 @@ The following image shows the ClientCertificateInstall configuration service pro  -**Device or User** -For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. +**Device or User** +For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. -**ClientCertificateInstall** -
The root node for the ClientCertificateInstaller configuration service provider. +**ClientCertificateInstall** +The root node for the ClientCertificateInstaller configuration service provider. -**ClientCertificateInstall/PFXCertInstall** -
Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. +**ClientCertificateInstall/PFXCertInstall** +Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/***UniqueID* -
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +**ClientCertificateInstall/PFXCertInstall/***UniqueID* +Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -
The data type format is node. +The data type format is node. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. +Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** -
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** +Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
The data type is an integer corresponding to one of the following values: +The data type is an integer corresponding to one of the following values: | Value | Description | |-------|---------------------------------------------------------------------------------------------------------------| @@ -64,225 +64,229 @@ The following image shows the ClientCertificateInstall configuration service pro | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** -
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** +Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. -
Date type is string. +Date type is string. -
Supported operations are Get, Add, Delete, and Replace. +Supported operations are Get, Add, Delete, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** -
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** +CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. -
The data type format is binary. +The data type format is binary. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. +If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. -
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. +If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. -
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** -
Password that protects the PFX blob. This is required if the PFX is password protected. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** +Password that protects the PFX blob. This is required if the PFX is password protected. -
Data Type is a string. +Data Type is a string. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** -
Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** +Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server. -
The data type is int. Valid values: +The data type is int. Valid values: - 0 - Password is not encrypted. - 1 - Password is encrypted with the MDM certificate. - 2 - Password is encrypted with custom certificate. -
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. +When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** -
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** +Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. > **Note** You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. -
The data type bool. +The data type bool. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** -
Returns the thumbprint of the installed PFX certificate. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** +Returns the thumbprint of the installed PFX certificate. -
The datatype is a string. +The datatype is a string. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** -
Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** +Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. -
Data type is an integer. +Data type is an integer. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** -
Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** +Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, and Replace. +Supported operations are Add, Get, and Replace. -**ClientCertificateInstall/SCEP** -
Node for SCEP. +**ClientCertificateInstall/SCEP** +Node for SCEP. > **Note** An alert is sent after the SCEP certificate is installed. -**ClientCertificateInstall/SCEP/***UniqueID* -
A unique ID to differentiate different certificate installation requests. +**ClientCertificateInstall/SCEP/***UniqueID* +A unique ID to differentiate different certificate installation requests. -**ClientCertificateInstall/SCEP/*UniqueID*/Install** -
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. +**ClientCertificateInstall/SCEP/*UniqueID*/Install** +A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. -
Supported operations are Get, Add, Replace, and Delete. +Supported operations are Get, Add, Replace, and Delete. > **Note** Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** -
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. - -
Data type is string. - -
Supported operations are Get, Add, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** -
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. - -
Data type is string. - -
Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** -
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** +Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. Data type is string. -
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. -
Data type is int. +Supported operations are Get, Add, Delete, and Replace. -
Supported operations are Add, Get, Delete, and Replace. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** +Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** -
Required. Specifies the subject name. +Data type is string. -
Data type is string. +Supported operations are Add, Get, Delete, and Replace. -
Supported operations are Add, Get, and Replace. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** +Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** -
Optional. Specifies where to keep the private key. +Data type is string. +Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. + +Data type is int. + +Supported operations are Add, Get, Delete, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** +Required. Specifies the subject name. + +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). + +For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + +Data type is string. + +Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** +Optional. Specifies where to keep the private key. > **Note** Even if the private key is protected by TPM, it is not protected with a TPM PIN. -
The data type is an integer corresponding to one of the following values: +The data type is an integer corresponding to one of the following values: | Value | Description | |-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 | Private key protected by TPM. | | 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | | 3 | (Default) Private key saved in software KSP. | -| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. | +| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** -
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** +Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. -
Supported operations are Add, Get, Delete, and Replace. Value type is integer. + Supported operations are Add, Get, Delete, and Replace. Value type is integer. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** -
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** +Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. -
Data type format is an integer. +Data type format is an integer. -
The default value is 5. +The default value is 5. -
The minimum value is 1. +The minimum value is 1. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** -
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** +Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. -
Data type is integer. +Data type is integer. -
Default value is 3. +Default value is 3. -
Maximum value is 30. If the value is larger than 30, the device will use 30. +Maximum value is 30. If the value is larger than 30, the device will use 30. -
Minimum value is 0, which indicates no retry. +Minimum value is 0, which indicates no retry. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** -
Optional. OID of certificate template name. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** +Optional. OID of certificate template name. > **Note** This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** -
Required for enrollment. Specify private key length (RSA). +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** +Required for enrollment. Specify private key length (RSA). -
Data type is integer. +Data type is integer. -
Valid values are 1024, 2048, and 4096. +Valid values are 1024, 2048, and 4096. -
For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. +For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** -
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** +Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +. -
For Windows Hello for Business, only SHA256 is the supported algorithm. +For Windows Hello for Business, only SHA256 is the supported algorithm. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** -
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** +Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** +Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. -
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. +Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** -
Optional. Specifies the units for the valid certificate period. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** +Optional. Specifies the units for the valid certificate period. -
Data type is string. +Data type is string. -
Valid values are: +Valid values are: - Days (Default) - Months @@ -291,61 +295,61 @@ Data type is string. > **Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** -
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** +Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. -
Data type is string. +Data type is string. >**Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** -
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** +Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** -
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** +Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** -
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** +Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. -
The date type format is Null, meaning this node doesn’t contain a value. +The date type format is Null, meaning this node doesn’t contain a value. -
The only supported operation is Execute. +The only supported operation is Execute. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** -
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** +Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** -
Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. +**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** +Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. -
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. +If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. -
Data type is string. +Data type is string. -
The only supported operation is Get. +The only supported operation is Get. -**ClientCertificateInstall/SCEP/*UniqueID*/Status** -
Required. Specifies latest status of the certificated during the enrollment request. +**ClientCertificateInstall/SCEP/*UniqueID*/Status** +Required. Specifies latest status of the certificated during the enrollment request. -
Data type is string. Valid values: +Data type is string. Valid values: -
The only supported operation is Get. +The only supported operation is Get. | Value | Description | |-------|---------------------------------------------------------------------------------------------------| @@ -355,17 +359,17 @@ Data type is string. | 32 | Unknown | -**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** -
Optional. An integer value that indicates the HRESULT of the last enrollment error code. +**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** +Optional. An integer value that indicates the HRESULT of the last enrollment error code. -
The only supported operation is Get. +The only supported operation is Get. **ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl** -
Required. Returns the URL of the SCEP server that responded to the enrollment request. +Required. Returns the URL of the SCEP server that responded to the enrollment request. -
Data type is string. +Data type is string. -
The only supported operation is Get.
+The only supported operation is Get.
## Example
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index b1c7501096..ad7b6964a4 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
+ - [February 2020](#february-2020)
- [January 2020](#january-2020)
- [November 2019](#november-2019)
- [October 2019](#october-2019)
@@ -1936,6 +1937,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
## Change history in MDM documentation
+### February 2020
+|New or updated topic | Description|
+|--- | ---|
+|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
+
### January 2020
|New or updated topic | Description|
|--- | ---|
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index adff5f8a8b..475db540e0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -127,11 +127,10 @@ Here is an example:
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
-
[Change history for Device Security](/windows/device-security/change-history-for-device-security)
-
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
-
+[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection)
+[Change history for Device Security](/windows/device-security/change-history-for-device-security)
+[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection)
## Related topics
diff --git a/windows/deployment/deploy-windows-mdt/TOC.md b/windows/deployment/deploy-windows-mdt/TOC.md
new file mode 100644
index 0000000000..7f51b8ca5b
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/TOC.md
@@ -0,0 +1,22 @@
+# Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+## [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md)
+
+## Deploy Windows 10 with MDT
+### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+
+## Customize MDT
+### [Configure MDT settings](configure-mdt-settings.md)
+### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+### [Use web services in MDT](use-web-services-in-mdt.md)
+### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index f0259285ae..af7e1accf8 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -21,15 +21,19 @@ ms.topic: article
**Applies to**
- Windows 10
-In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of the deployment solution. With images reaching 5 GB in size or more, you can't deploy machines in a remote office over the wire. You need to replicate the content, so that the clients can do local deployments.
+Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
-We will use four machines for this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0006 is a blank machine to which you will deploy Windows 10. You will configure a second deployment server (MDT02) for a remote site (Stockholm) by replicating the deployment share in the original site (New York). MDT01, MDT02, and PC0006 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
+
+For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-Figure 1. The machines used in this topic.
+Computers used in this topic.
-## Replicate deployment shares
+>HV01 is also used in this topic to host the PC0006 virtual machine.
+
+## Replicate deployment shares
Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
@@ -42,60 +46,88 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes
### Why DFS-R is a better option
-DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication target(s) as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
-## Set up Distributed File System Replication (DFS-R) for replication
+## Set up Distributed File System Replication (DFS-R) for replication
-Setting up DFS-R for replication is a quick and straightforward process. You prepare the deployment servers and then create a replication group. To complete the setup, you configure some replication settings.
+Setting up DFS-R for replication is a quick and straightforward process: Prepare the deployment servers, create a replication group, then configure some replication settings.
### Prepare MDT01 for replication
-1. On MDT01, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT01.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
+On **MDT01**:
- 
+1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
- Figure 2. Adding the DFS Replication role to MDT01.
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Prepare MDT02 for replication
-1. On MDT02, using Server Manager, click **Add roles and features**.
-2. On the **Select installation type** page, select **Role-based or feature-based installation**.
-3. On the **Select destination server** page, select **MDT02.contoso.com** and click **Next**.
-4. On the **Select server roles** page, expand **File and Storage Services (Installed)** and expand **File and iSCSI Services (Installed)**.
-5. In the **Roles** list, select **DFS Replication**. In the **Add Roles and Features Wizard** dialog box, select **Add Features**, and then click **Next**.
-6. On the **Select features** page, accept the default settings, and click **Next**.
-7. On the **Confirm installation selections** page, click **Install**.
-8. On the **Installation progress** page, click **Close**.
+On **MDT02**:
+
+1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
+
+```powershell
+Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+```
+
+2. Wait for installation to comlete, and then verify that the installation was successful. See the following output:
+
+```output
+PS C:\> Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+
+Success Restart Needed Exit Code Feature Result
+------- -------------- --------- --------------
+True No Success {DFS Replication, DFS Management Tools, Fi...
+```
### Create the MDTProduction folder on MDT02
-1. On MDT02, using File Explorer, create the **E:\\MDTProduction** folder.
-2. Share the **E:\\MDTProduction** folder as **MDTProduction$**. Use the default permissions.
+On **MDT02**:
- 
+1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
- Figure 3. Sharing the **E:\\MDTProduction folder** on MDT02.
+```cmd
+mkdir d:\MDTProduction
+New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+```
+
+2. You should see the following output:
+
+```output
+C:\> New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+
+Name ScopeName Path Description
+---- --------- ---- -----------
+MDTProduction$ * D:\MDTProduction
+```
### Configure the deployment share
When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
-1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this:
+
+On **MDT01**:
+
+1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
```ini
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
- 192.168.1.1=NewYork
- 192.168.2.1=Stockholm
+ 10.10.10.1=NewYork
+ 10.10.20.1=Stockholm
[NewYork]
DeployRoot=\\MDT01\MDTProduction$
@@ -106,137 +138,133 @@ When you have multiple deployment servers sharing the same content, you need to
[Default]
UserDomain=CONTOSO
UserID=MDT_BA
+ UserPassword=pass@word1
SkipBDDWelcome=YES
```
-
- > [!NOTE]
- > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local.
- >
- > To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+ >[!NOTE]
+ >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
2. Save the Bootstrap.ini file.
-3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**.
-
- 
-
- Figure 4. Updating the MDT Production deployment share.
-
-4. Use the default settings for the Update Deployment Share Wizard.
-5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
+4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
- Figure 5. Replacing the updated boot image in WDS.
+ Replacing the updated boot image in WDS.
-6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
+ >[!TIP]
+ >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
+
+ ## Replicate the content
- ## Replicate the content
Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
### Create the replication group
-7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**.
-8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
-9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
-10. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
+6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and click **New Replication Group**.
+7. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
+8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
+9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
- Figure 6. Adding the Replication Group Members.
+ Adding the Replication Group Members.
-11. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
-12. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
-13. On the **Primary Member** page, select **MDT01** and click **Next**.
-14. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
-15. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
-16. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
-
- 
-
- Figure 7. Configure the MDT02 member.
-
-17. On the **Review Settings and Create Replication Group** page, click **Create**.
-18. On the **Confirmation** page, click **Close**.
+10. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
+11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
+12. On the **Primary Member** page, select **MDT01** and click **Next**.
+13. On the **Folders to Replicate** page, click **Add**, enter **D:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
+14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
+15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
+16. On the **Review Settings and Create Replication Group** page, click **Create**.
+17. On the **Confirmation** page, click **Close**.
### Configure replicated folders
-19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**.
-20. In the middle pane, right-click the **MDT01** member and select **Properties**.
-21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
+18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
+19. In the middle pane, right-click the **MDT01** member and click **Properties**.
+20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
- In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share:
+ In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
``` powershell
- (Get-ChildItem E:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
+ (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
```
- 
-
- Figure 8. Configure the Staging settings.
-
-22. In the middle pane, right-click the **MDT02** member and select **Properties**.
-23. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
+21. In the middle pane, right-click the **MDT02** member and select **Properties**.
+22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
1. In the **Staging** tab, set the quota to **20480 MB**.
2. In the **Advanced** tab, set the quota to **8192 MB**.
> [!NOTE]
> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
-
+
+23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
+
+```cmd
+C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
+MemName IsPrimary
+MDT01 Yes
+MDT02 No
+```
+
### Verify replication
-1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder.
-2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
-3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, select **Health report** and click **Next**.
-4. On the **Path and Name** page, accept the default settings and click **Next**.
-5. On the **Members to Include** page, accept the default settings and click **Next**.
-6. On the **Options** page, accept the default settings and click **Next**.
-7. On the **Review Settings and Create Report** page, click **Create**.
-8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
+
+On **MDT02**:
+
+1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
+2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
+3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and click **Next**.
+4. On the **Path and Name** page, accept the default settings and click **Next**.
+5. On the **Members to Include** page, accept the default settings and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next**.
+7. On the **Review Settings and Create Report** page, click **Create**.
+8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
-Figure 9. The DFS Replication Health Report.
+The DFS Replication Health Report.
-## Configure Windows Deployment Services (WDS) in a remote site
+>If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
+
+## Configure Windows Deployment Services (WDS) in a remote site
Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
-1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
-2. Browse to the E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim file and add the image with the default settings.
+1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-## Deploy the Windows 10 client to the remote site
+## Deploy a Windows 10 client to the remote site
-Now you should have a solution ready for deploying the Windows 10 client to the remote site, Stockholm, connecting to the MDT Production deployment share replica on MDT02.
+Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
+
+>For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file.
1. Create a virtual machine with the following settings:
- 1. Name: PC0006
- 2. Location: C:\\VMs
- 3. Generation: 2
- 4. Memory: 2048 MB
- 5. Hard disk: 60 GB (dynamic disk)
-2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+ 1. Name: PC0006
+ 2. Location: C:\\VMs
+ 3. Generation: 2
+ 4. Memory: 2048 MB
+ 5. Hard disk: 60 GB (dynamic disk)
+ 6. Install an operating system from a network-based installation server
+2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- 1. Password: P@ssw0rd
- 2. Select a task sequence to execute on this computer:
- 1. Windows 10 Enterprise x64 RTM Custom Image
- 2. Computer Name: PC0006
- 3. Applications: Select the Install - Adobe Reader XI - x86 application
-4. The setup will now start and do the following:
+ 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ 2. Computer Name: PC0006
+ 3. Applications: Select the Install - Adobe Reader
+4. Setup will now start and perform the following:
1. Install the Windows 10 Enterprise operating system.
- 2. Install the added application.
- 3. Update the operating system via your local Windows Server Update Services (WSUS) server.
+ 2. Install applications.
+ 3. Update the operating system using your local Windows Server Update Services (WSUS) server.
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
-
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 2b89867e2e..0eac636a76 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,6 +1,6 @@
---
title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities. Learn how to customize your environment.
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: laurawi
@@ -19,11 +19,11 @@ ms.topic: article
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-Figure 1. The machines used in this topic.
+The computers used in this topic.
## In this section
@@ -38,14 +38,9 @@ Figure 1. The machines used in this topic.
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 9076a17339..45f4bb2bb8 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -1,6 +1,6 @@
---
title: Create a task sequence with Configuration Manager (Windows 10)
-description: Create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
+description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98
ms.reviewer:
manager: laurawi
@@ -23,14 +23,14 @@ ms.topic: article
- Windows 10
-In this topic, you will learn how to create a Microsoft System Center 2012 R2 Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in System Center 2012 R2 Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+In this topic, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard, both of which are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Create a task sequence using the MDT Integration Wizard
-This section walks you through the process of creating a System Center 2012 R2 Configuration Manager task sequence for production use.
+This section walks you through the process of creating a Configuration Manager task sequence for production use.
1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 8e20ab78c8..8a3683e2e2 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -19,60 +19,72 @@ ms.topic: article
# Create a Windows 10 reference image
**Applies to**
-- Windows 10
+- Windows 10
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
+>See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide.
-Figure 1. The machines used in this topic.
+For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01.
+ - DC01 is a domain controller for the contoso.com domain.
+ - MDT01 is a contoso.com domain member server.
+ - HV01 is a Hyper-V server that will be used to build the reference image.
+
+ 
+
+ Computers used in this topic.
## The reference image
-The reference image described in this documentation is designed primarily for deployment to physical machines. However, the reference image is created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
-- You reduce development time and can use snapshots to test different configurations quickly.
-- You rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
-- It ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
-- It's easy to move between lab, test, and production.
+The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
+- To reduce development time and can use snapshots to test different configurations quickly.
+- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
+- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
+- The image is easy to move between lab, test, and production.
-## Set up the MDT build lab deployment share
+## Set up the MDT build lab deployment share
-With Windows 10, there is no hard requirement to create reference images; however, to reduce the time needed for deployment, you may want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
-- On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
+On **MDT01**:
+
+- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
+- Start the MDT deployment workbench, and pin this to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
-- Deployment share path: E:\\MDTBuildLab
-- Share name: MDTBuildLab$
-- Deployment share description: MDT Build Lab
-- <default>
-- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
+ - Deployment share path: **D:\\MDTBuildLab**
+ - Share name: **MDTBuildLab$**
+ - Deployment share description: **MDT Build Lab**
+- Accept the default selections on the Options page and click **Next**.
+- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
+- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share.
-
+ 
-Figure 2. The Deployment Workbench with the MDT Build Lab deployment share created.
+ The Deployment Workbench with the MDT Build Lab deployment share.
+
+### Enable monitoring
+
+To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
### Configure permissions for the deployment share
-In order to write the reference image back to the deployment share, you need to assign Modify permissions to the MDT Build Account (MDT\_BA) for the **Captures** subfolder in the **E:\\MDTBuildLab** folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Modify the NTFS permissions for the **E:\\MDTBuildLab\\Captures** folder by running the following command in an elevated Windows PowerShell prompt:
+In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
- ```
- icacls E:\MDTBuildLab\Captures /grant '"MDT_BA":(OI)(CI)(M)'
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` syntax
+ icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
```
-
-
-Figure 3. Permissions configured for the MDT\_BA user.
-
-## Add the setup files
+## Add setup files
This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
@@ -85,211 +97,205 @@ MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images t
### Add Windows 10 Enterprise x64 (full source)
-In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder.
+On **MDT01**:
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
-3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
-5. Full set of source files
-6. Source directory: E:\\Downloads\\Windows 10 Enterprise x64
-7. Destination directory name: W10EX64RTM
-8. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
+1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
-
+ 
-Figure 4. The imported Windows 10 operating system after renaming it.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
-## Add applications
+ 
-Before you create an MDT task sequence, you need to add all of the applications and other sample scripts to the MDT Build Lab share.
+>Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
-The steps in this section use a strict naming standard for your MDT applications. You add the "Install - " prefix for typical application installations that run a setup installer of some kind, and you use the "Configure - " prefix when an application configures a setting in the operating system. You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures). Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
-By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. In this topic's step-by-step sections, you will add the following applications:
+## Add applications
-- Install - Microsoft Office 2013 Pro Plus - x86
-- Install - Microsoft Silverlight 5.0 - x64
-- Install - Microsoft Visual C++ 2005 SP1 - x86
-- Install - Microsoft Visual C++ 2005 SP1 - x64
-- Install - Microsoft Visual C++ 2008 SP1 - x86
-- Install - Microsoft Visual C++ 2008 SP1 - x64
-- Install - Microsoft Visual C++ 2010 SP1 - x86
-- Install - Microsoft Visual C++ 2010 SP1 - x64
-- Install - Microsoft Visual C++ 2012 Update 4 - x86
-- Install - Microsoft Visual C++ 2012 Update 4 - x64
+Before you create an MDT task sequence, you need to add any applications and scripts you wish to install to the MDT Build Lab share.
-In these examples, we assume that you downloaded the software in this list to the E:\\Downloads folder. The first application is added using the UI, but because MDT supports Windows PowerShell, you add the other applications using Windows PowerShell.
+On **MDT01**:
+
+First, create an MDT folder to store the Microsoft applications that will be installed:
+
+1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
+2. Right-click **Applications** and then click **New Folder**.
+3. Under **Folder name**, type **Microsoft**.
+4. Click **Next** twice, and then click **Finish**.
+
+The steps in this section use a strict naming standard for your MDT applications.
+- Use the "Install - " prefix for typical application installations that run a setup installer of some kind,
+- Use the "Configure - " prefix when an application configures a setting in the operating system.
+- You also add an " - x86", " - x64", or "- x86-x64" suffix to indicate the application's architecture (some applications have installers for both architectures).
+
+Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
+
+By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments.
+
+In example sections, you will add the following applications:
+
+- Install - Microsoft Office 365 Pro Plus - x64
+- Install - Microsoft Visual C++ Redistributable 2019 - x86
+- Install - Microsoft Visual C++ Redistributable 2019 - x64
+
+>The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
+
+Download links:
+- [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
+- [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
+- [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
+
+Download all three items in this list to the D:\\Downloads folder on MDT01.
+
+**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
>[!NOTE]
->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523).
+>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
-### Create the install: Microsoft Office Professional Plus 2013 x86
+### Create configuration file: Microsoft Office 365 Professional Plus x64
-You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder.
+1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
+2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Office 365 ProPlus that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
-### Add the Microsoft Office Professional Plus 2013 x86 installation files
+ For example, you can use the following configuration.xml file, which provides these configuration settings:
+ - Install the 64-bit version of Office 365 ProPlus in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
+ - Use the Semi-Annual Channel and get updates directly from the Office CDN on the internet.
+ - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
-After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this.
-You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings.
-1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**.
-2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box.
+ ```xml
+
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 238fd0d31e..3dda80d52e 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -21,113 +21,141 @@ ms.topic: article
**Applies to**
- Windows 10
-This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment.
+This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.
+We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005.
-Figure 1. The machines used in this topic.
+- DC01 is a domain controller
+- MDT01 is a domain member server
+- HV01 is a Hyper-V server
+- PC0005 is a blank device to which we will deploy Windows 10
+
+MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
+
+ 
>[!NOTE]
->For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Step 1: Configure Active Directory permissions
+## Step 1: Configure Active Directory permissions
+
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+
+On **DC01**:
+
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
+2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+ ```
+
+3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
-These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings:
- 1. Name: MDT\_JD
- 2. User logon name: MDT\_JD
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Select
- 6. Password never expires: Select
-3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
- 1. Scope: This object and all descendant objects
- 1. Create Computer objects
- 2. Delete Computer objects
- 2. Scope: Descendant Computer objects
- 1. Read All Properties
- 2. Write All Properties
- 3. Read Permissions
- 4. Modify Permissions
- 5. Change Password
- 6. Reset Password
- 7. Validated write to DNS host name
- 8. Validated write to service principal name
-## Step 2: Set up the MDT production deployment share
+The following is a list of the permissions being granted:
+ a. Scope: This object and all descendant objects
+ b. Create Computer objects
+ c. Delete Computer objects
+ d. Scope: Descendant Computer objects
+ e. Read All Properties
+ f. Write All Properties
+ g. Read Permissions
+ h. Modify Permissions
+ i. Change Password
+ j. Reset Password
+ k. Validated write to DNS host name
+ l. Validated write to service principal name
-When you are ready to deploy Windows 10 in a production environment, you will first create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. For guidance on creating a custom Windows 10 image, see
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+## Step 2: Set up the MDT production deployment share
+
+Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
### Create the MDT production deployment share
+On **MDT01**:
+
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**.
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
-## Step 3: Add a custom image
+### Configure permissions for the production deployment share
+
+To read files in the deployment share, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTProduction** folder
+
+On **MDT01**:
+
+1. Ensure you are signed in as **contoso\\administrator**.
+2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
+
+ ``` syntax
+ icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+ grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
+ ```
+
+## Step 3: Add a custom image
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
### Add the Windows 10 Enterprise x64 RTM custom image
-In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image in the E:\\MDTBuildLab\\Captures folder on MDT01.
+In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
+
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
3. On the **OS Type** page, select **Custom image file** and click **Next**.
-4. On the **Image** page, in the **Source file** text box, browse to **E:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
-5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **E:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
-7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to match the following: **Windows 10 Enterprise x64 RTM Custom Image**.
+7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
>[!NOTE]
>The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
-
+
-Figure 2. The imported operating system after renaming it.
+## Step 4: Add an application
-## Step 4: Add an application
+When you configure your MDT Build Lab deployment share, you can also add applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
-When you configure your MDT Build Lab deployment share, you will also add any applications to the new deployment share before creating your task sequence. This section walks you through the process of adding an application to the MDT Production deployment share using Adobe Reader as an example.
+### Create the install: Adobe Reader DC
-### Create the install: Adobe Reader XI x86
+On **MDT01**:
-In this example, we assume that you have downloaded the Adobe Reader XI installation file (AdbeRdr11000\_eu\_ES.msi) to E:\\Setup\\Adobe Reader on MDT01.
-1. Using the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
-2. Right-click the **Applications** node, and create a new folder named **Adobe**.
-3. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
-4. On the **Application Type** page, select the **Application with source files** option and click **Next**.
-5. On the **Details** page, in the **Application** name text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-6. On the **Source** page, in the **Source Directory** text box, browse to **E:\\Setup\\Adobe Reader XI** and click **Next**.
-7. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader XI - x86** and click **Next**.
-8. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AdbeRdr11000\_eu\_ES.msi /q**, click **Next** twice, and then click **Finish**.
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
+4. Right-click the **Applications** node, and create a new folder named **Adobe**.
+5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+
-Figure 3. The Adobe Reader application added to the Deployment Workbench.
+The Adobe Reader application added to the Deployment Workbench.
-## Step 5: Prepare the drivers repository
+## Step 5: Prepare the drivers repository
In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
- Lenovo ThinkPad T420
-- Dell Latitude E6440
+- Dell Latitude 7390
- HP EliteBook 8560w
- Microsoft Surface Pro
For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
@@ -139,20 +167,22 @@ For boot images, you need to have storage and network drivers; for the operating
The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
-1. On MDT01, using File Explorer, create the **E:\\Drivers** folder.
-2. In the **E:\\Drivers** folder, create the following folder structure:
+On **MDT01**:
+
+1. Using File Explorer, create the **D:\\drivers** folder.
+2. In the **D:\\drivers** folder, create the following folder structure:
1. WinPE x86
2. WinPE x64
3. Windows 10 x64
3. In the new Windows 10 x64 folder, create the following folder structure:
- Dell
- - Latitude E6440
- - HP
+ - Latitude E7450
+ - Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - ThinkPad T420 (4178)
+ - ThinkStation P500 (30A6003TUS)
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
>[!NOTE]
>Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
@@ -166,16 +196,16 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
2. WinPE x64
3. Windows 10 x64
3. In the **Windows 10 x64** folder, create the following folder structure:
- - Dell Inc.
- - Latitude E6440
+ - Dell
+ - Latitude E7450
- Hewlett-Packard
- HP EliteBook 8560w
- Lenovo
- - 4178
+ - 30A6003TUS
- Microsoft Corporation
- - Surface Pro 3
+ - Surface Laptop
-The preceding folder names are selected because they match the actual make and model values that MDT reads from the machines during deployment. You can find out the model values for your machines via the following command in Windows PowerShell:
+The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
``` powershell
Get-WmiObject -Class:Win32_ComputerSystem
@@ -188,87 +218,104 @@ wmic csproduct get name
If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
-
+
-Figure 4. The Out-of-Box Drivers structure in Deployment Workbench.
+The Out-of-Box Drivers structure in the Deployment Workbench.
### Create the selection profiles for boot image drivers
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
2. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x86
2. Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
-3. Again, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+ 3. Click **Next**, **Next** and **Finish**.
+3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
4. In the New Selection Profile Wizard, create a selection profile with the following settings:
1. Selection Profile name: WinPE x64
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
+ 3. Click **Next**, **Next** and **Finish**.
-Figure 5. Creating the WinPE x64 selection profile.
+Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
-In these steps, we assume you have downloaded PROWinx64.exe from Intel.com and saved it to a temporary folder.
-1. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
-2. Using File Explorer, create the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-3. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **E:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-4. Using Deployment Workbench, expand the **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**. Use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\WinPE x64\\Intel PRO1000**
+On **MDT01**:
+
+1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
+2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
+ a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
+3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
### Download, extract, and import drivers
-### For the ThinkPad T420
+### For the Lenovo ThinkStation P500
-For the Lenovo T420 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo T420 model has the 4178B9G model name, meaning the Machine Type is 4178.
+For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-To get the updates, you download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can download the drivers from the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
+
-In these steps, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever v5.0 to the E:\\Drivers\\Lenovo\\ThinkPad T420 (4178) folder.
+To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Lenovo** node.
-2. Right-click the **4178** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkPad T420 (4178)**
+In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
-### For the Latitude E6440
+On **MDT01**:
-For the Dell Latitude E6440 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E6440 model to the E:\\Drivers\\Dell\\Latitude E6440 folder.
+The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Dell** node.
-2. Right-click the **Latitude E6440** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Dell\\Latitude E6440**
+### For the Latitude E7450
+
+For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
+
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell\\Latitude E7450** folder.
+
+On **MDT01**:
+
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell** node.
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell\\Latitude E7450**
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
-In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w folder.
+In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
-1. On **MDT01**, using the **Deployment Workbench**, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Hewlett-Packard** node.
-2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\HP\\HP EliteBook 8560w**
+On **MDT01**:
-### For the Microsoft Surface Pro 3
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
-For the Microsoft Surface Pro model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Pro 3 drivers to the E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3 folder.
+### For the Microsoft Surface Laptop
-1. On MDT01, using the Deployment Workbench, in the **MDT Production** node, expand the **Out-Of-Box Drivers** node, and expand the **Microsoft** node.
-2. Right-click the **Surface Pro 3** folder and select **Import Drivers**; use the following setting for the Import Drivers Wizard:
- - Driver source directory: **E:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Pro 3**
+For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
-## Step 6: Create the deployment task sequence
+On **MDT01**:
-This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the tasks sequence to enable patching via a Windows Server Update Services (WSUS) server.
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
+## Step 6: Create the deployment task sequence
+
+This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 10 Enterprise
-1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+On **MDT01**:
+
+1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: W10-X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
@@ -278,13 +325,14 @@ This section will show you how to create the task sequence used to deploy your p
6. Specify Product Key: Do not specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
- 9. Internet Explorer home page: about:blank
+ 9. Internet Explorer home page: https://www.contoso.com
10. Admin Password: Do not specify an Administrator Password at this time
- ### Edit the Windows 10 task sequence
-3. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
-4. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
- 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+### Edit the Windows 10 task sequence
+
+1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+ 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
1. Name: Set DriverGroup001
2. Task Sequence Variable: DriverGroup001
3. Value: Windows 10 x64\\%Make%\\%Model%
@@ -297,89 +345,93 @@ This section will show you how to create the task sequence used to deploy your p
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
-5. Click **OK**.
+3. Click **OK**.
-
+
-Figure 6. The task sequence for production deployment.
+The task sequence for production deployment.
-## Step 7: Configure the MDT production deployment share
+## Step 7: Configure the MDT production deployment share
In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work.
### Configure the rules
-1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files.
- 1. Bootstrap.ini
- 2. CustomSettings.ini
-2. Right-click the **MDT Production** deployment share and select **Properties**.
-3. Select the **Rules** tab and modify using the following information:
+On **MDT01**:
- ```
- [Settings]
- Priority=Default
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=P@ssw0rd
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=P@ssw0rd
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
-4. Click **Edit Bootstrap.ini** and modify using the following information:
+1. Right-click the **MDT Production** deployment share and select **Properties**.
+2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
- [Default]
- DeployRoot=\\MDT01\MDTProduction$
- UserDomain=CONTOSO
- UserID=MDT_BA
- SkipBDDWelcome=YES
- ```
-5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-6. In the **General** sub tab, configure the following settings:
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
+
+3. Click **Edit Bootstrap.ini** and modify using the following information:
+
+```
+[Settings]
+Priority=Default
+
+[Default]
+DeployRoot=\\MDT01\MDTProduction$
+UserDomain=CONTOSO
+UserID=MDT_BA
+UserPassword=pass@word1
+SkipBDDWelcome=YES
+```
+
+4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x86
2. ISO file name: MDT Production x86.iso
> [!NOTE]
>
- > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
-7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
-8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-9. In the **General** sub tab, configure the following settings:
+6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+8. On the **General** sub tab, configure the following settings:
- In the **Lite Touch Boot Image Settings** area:
1. Image description: MDT Production x64
2. ISO file name: MDT Production x64.iso
-10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
-11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
-12. Click **OK**.
+9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+11. Click **OK**.
>[!NOTE]
>It will take a while for the Deployment Workbench to create the monitoring database and web service.
@@ -387,39 +439,46 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
-Figure 7. The Windows PE tab for the x64 boot image.
+The Windows PE tab for the x64 boot image.
### The rules explained
-The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup and that you do not automate the logon.
+The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
+
+>
+>You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
-This is the MDT Production Bootstrap.ini without the user credentials (except domain information):
+This is the MDT Production Bootstrap.ini:
```
[Settings]
Priority=Default
+
[Default]
DeployRoot=\\MDT01\MDTProduction$
UserDomain=CONTOSO
UserID=MDT_BA
+UserPassword=pass@word1
SkipBDDWelcome=YES
```
+
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
```
[Settings]
Priority=Default
+
[Default]
_SMSTSORGNAME=Contoso
OSInstall=Y
UserDataLocation=AUTO
TimeZoneName=Pacific Standard Time
-AdminPassword=P@ssw0rd
+AdminPassword=pass@word1
JoinDomain=contoso.com
DomainAdmin=CONTOSO\MDT_JD
-DomainAdminPassword=P@ssw0rd
+DomainAdminPassword=pass@word1
MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
SLShare=\\MDT01\Logs$
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
@@ -444,7 +503,8 @@ SkipCapture=YES
SkipFinalSummary=NO
EventService=http://MDT01:9800
```
-The additional properties to use in the MDT Production rules file are as follows:
+
+Some properties to use in the MDT Production rules file are as follows:
- **JoinDomain.** The domain to join.
- **DomainAdmin.** The account to use when joining the machine to the domain.
- **DomainAdminDomain.** The domain for the join domain account.
@@ -456,33 +516,35 @@ The additional properties to use in the MDT Production rules file are as follows
### Optional deployment share configuration
-If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you
-troubleshoot MDT deployments, as well as troubleshoot Windows itself.
+If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
### Add DaRT 10 to the boot images
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following:
-- Install DaRT 10 (part of MDOP 2015 R1).
-- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share.
-- Configure the deployment share to add DaRT.
- In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01.
-- On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings.
-- Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-- Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**.
-- Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**.
-- Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
-- In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
-- In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
- 
+>DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
- Figure 8. Selecting the DaRT 10 feature in the deployment share.
+On **MDT01**:
+
+1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
deleted file mode 100644
index bc6f898741..0000000000
--- a/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
-description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, tools, configure, script
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.pagetype: mdt
-ms.topic: article
----
-
-# Deploy Windows 10 with the Microsoft Deployment Toolkit
-
-**Applies to**
-- Windows 10
-
-This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
-
-The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager.
-
-To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-## In this section
-
-- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-- [Configure MDT settings](configure-mdt-settings.md)
-
-## Proof-of-concept environment
-
-For the purposes of this guide, and the topics discussed herein, we will use the following servers and client machines: DC01, MDT01, CM01, PC0001, and PC0002.
-
-
-
-Figure 1. The servers and machines used for examples in this guide.
-
-DC01 is a domain controller; the other servers and client machines are members of the domain contoso.com for the fictitious Contoso Corporation.
-
-
-
-Figure 2. The organizational unit (OU) structure used in this guide.
-
-### Server details
-
-- **DC01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as Active Directory Domain Controller, DNS Server, and DHCP Server in the contoso.com domain.
- - Server name: DC01
- - IP Address: 192.168.1.200
- - Roles: DNS, DHCP, and Domain Controller
-- **MDT01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: MDT01
- - IP Address: 192.168.1.210
-- **CM01.** A Windows Server 2012 R2 Standard machine, fully patched with the latest security updates, and configured as a member server in the contoso.com domain.
- - Server name: CM01
- - IP Address: 192.168.1.214
-
-### Client machine details
-
-- **PC0001.** A Windows 10 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced as the admin workstation.
- - Client name: PC0001
- - IP Address: DHCP
-- **PC0002.** A Windows 7 SP1 Enterprise x64 machine, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This machine is referenced during the migration scenarios.
- - Client name: PC0002
- - IP Address: DHCP
-
-## Sample files
-
-The information in this guide is designed to help you deploy Windows 10. In order to help you put the information you learn into practice more quickly, we recommend that you download a small set of sample files for the fictitious Contoso Corporation:
-- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
-- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
-- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Windows 10 deployment tools](../windows-deployment-scenarios-and-tools.md)
-
-[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-
-[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
-[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
-
-[Volume Activation for Windows 10](../volume-activation/volume-activation-windows-10.md)
-
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index e7742fa773..00c0a446a3 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,54 +1,171 @@
----
-title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
-ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, image, feature, install, tools
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Get started with the Microsoft Deployment Toolkit (MDT)
-
-**Applies to**
-- Windows 10
-
-This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager.
-
-In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process.
-
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see
-[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## In this section
-
-- [Key features in MDT](key-features-in-mdt.md)
-- [MDT Lite Touch components](mdt-lite-touch-components.md)
-- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-
-## Related topics
-
-[Microsoft Deployment Toolkit downloads and documentation](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
+description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
+ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, image, feature, install, tools
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Get started with MDT
+
+**Applies to**
+- Windows 10
+
+This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+## About MDT
+
+MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
+
+In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
+
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/).
+
+## Key features in MDT
+
+MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment.
+
+MDT has many useful features, such as:
+- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
+- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
+- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry.
+- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI.
+- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+ 
+
+ The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
+
+- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+- **Monitoring.** Allows you to see the status of currently running deployments.
+- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+
+ 
+
+ The offline USMT backup in action.
+
+- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
+- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
+- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
+- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+## MDT Lite Touch components
+
+Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc.
+
+When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
+
+
+
+If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
+
+## Deployment shares
+
+A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment.
+
+## Rules
+
+The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+- Computer name
+- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
+- Whether to enable BitLocker
+- Regional settings
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+
+
+Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
+
+## Boot images
+
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment
+share on the server and start the deployment.
+
+## Operating systems
+
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+
+## Applications
+
+Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps.
+
+## Driver repository
+
+You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image.
+
+## Packages
+
+With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts.
+
+## Task sequences
+
+Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
+
+You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
+- **Gather.** Reads configuration settings from the deployment server.
+- **Format and Partition.** Creates the partition(s) and formats them.
+- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
+- **Apply Operating System.** Uses ImageX to apply the image.
+- **Windows Update.** Connects to a WSUS server and updates the machine.
+
+## Task sequence templates
+
+MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence.
+- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+ **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot.
+
+- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
+- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers.
+- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments.
+- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
+- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+## Selection profiles
+
+Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+- Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
+- Control which drivers are injected during the task sequence.
+- Control what is included in any media that you create.
+- Control what is replicated to other deployment shares.
+- Filter which task sequences and applications are displayed in the Deployment Wizard.
+
+## Logging
+
+MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
+
+**Note**
+The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+
+## Monitoring
+
+On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench.
+
+## See next
+
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index aa2e3ff40e..01c0044c6e 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,6 +1,6 @@
---
title: Prepare for deployment with MDT (Windows 10)
-description: Learn how to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226
ms.reviewer:
manager: laurawi
@@ -19,51 +19,176 @@ ms.topic: article
# Prepare for deployment with MDT
**Applies to**
-- Windows 10
+- Windows 10
-This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory.
+This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
-For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+## Infrastructure
-## System requirements
+The procedures in this guide use the following names and infrastructure.
-MDT requires the following components:
-- Any of the following operating systems:
- - Windows 7
- - Windows 8
- - Windows 8.1
- - Windows 10
- - Windows Server 2008 R2
- - Windows Server 2012
- - Windows Server 2012 R2
-- Windows Assessment and Deployment Kit (ADK) for Windows 10
-- Windows PowerShell
-- Microsoft .NET Framework
+### Network and servers
-## Install Windows ADK for Windows 10
+For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
+- All servers are running Windows Server 2019.
+ - You can use an earlier version of Windows Server with minor modifications to some procedures.
+ - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is requried to perform the procedures in this guide.
+- **DC01** is a domain controller, DHCP server, and DNS server for contoso.com, representing the fictitious Contoso Corporation.
+- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
+ - A second MDT server (**MDT02**) configured identially to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
+- **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
+ - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
-These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder.
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**.
-3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings:
- 1. Deployment Tools
- 2. Windows Preinstallation Environment (Windows PE)
- 3. User State Migration Tool (USMT)
+### Client computers
- >[!IMPORTANT]
- >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
+Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
-## Install MDT
+- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
+ - Client name: PC0001
+ - IP Address: DHCP
+- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
+ - Client name: PC0002
+ - IP Address: DHCP
+- **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
-These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01.
+### Storage requirements
-1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd.
-2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings.
+MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive.
-## Create the OU structure
+### Hyper-V requirements
-If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT.
-1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**.
+If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](https://docs.microsoft.com/windows/deployment/windows-10-poc#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
+
+### Network requirements
+
+All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+
+### Domain credentials
+
+The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
+
+**Active Directory domain name**: contoso.com
+**Domain administrator username**: administrator
+**Domain administrator password**: pass@word1
+
+### Organizational unit structure
+
+The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
+
+
+
+## Install the Windows ADK
+
+These steps assume that you have the MDT01 member server running and configured as a domain member server.
+
+On **MTD01**:
+
+Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
+- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
+- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
+- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
+
+>[!TIP]
+>You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
+
+1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain.
+ - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of pass@word1. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
+2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
+3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
+4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
+ - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
+
+## Install and initialize Windows Deployment Services (WDS)
+
+On **MDT01**:
+
+1. Open an elevated Windows PowerShell prompt and enter the following command:
+
+ ```powershell
+ Install-WindowsFeature -Name WDS -IncludeManagementTools
+ WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
+ WDSUTIL /Set-Server /AnswerClients:All
+ ```
+
+## Optional: Install Windows Server Update Services (WSUS)
+
+If you wish to use MDT as a WSUS server using the Windows Internal Database (WID), use the following command to install this service. Alternatively, change the WSUS server information in this guide to the WSUS server in your environment.
+
+To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
+
+ ```powershell
+ Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
+ cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+ ```
+
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01.
+
+## Install MDT
+
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
+On **MDT01**:
+
+1. Visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117) and click **Download MDT**.
+2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
+ - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
+3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
+
+## Create the OU structure
+
+Switch to **DC01** and perform the following procedures on **DC01**:
+
+To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell.
+
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
+
+```powershell
+$oulist = Import-csv -Path c:\oulist.txt
+ForEach($entry in $oulist){
+ $ouname = $entry.ouname
+ $oupath = $entry.oupath
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
+}
+```
+
+Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+
+```text
+OUName,OUPath
+Contoso,"DC=CONTOSO,DC=COM"
+Accounts,"OU=Contoso,DC=CONTOSO,DC=COM"
+Computers,"OU=Contoso,DC=CONTOSO,DC=COM"
+Groups,"OU=Contoso,DC=CONTOSO,DC=COM"
+Admins,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Service Accounts,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Users,"OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM"
+Servers,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
+Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
+```
+
+Lastly, open an elevated Windows PowerShell prompt on DC01 and run the ou.ps1 script:
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
+Set-Location C:\Setup\Scripts
+.\ou.ps1
+```
+
+This will create an OU structure as shown below.
+
+
+
+To use the Active Directory Users and Computers console (instead of PowerShell):
+
+On **DC01**:
+
+1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
2. In the **Contoso** OU, create the following OUs:
1. Accounts
2. Computers
@@ -76,55 +201,62 @@ If you do not have an organizational unit (OU) structure in your Active Director
1. Servers
2. Workstations
5. In the **Contoso / Groups** OU, create the following OU:
- - Security Groups
+ 1. Security Groups
-
+The final result of either method is shown below. The **MDT_BA** account will be created next.
-Figure 6. A sample of how the OU structure will look after all the OUs are created.
+## Create the MDT service account
-## Create the MDT service account
+When creating a reference image, you need an account for MDT. The MDT build account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
-1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**.
-2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings:
- 1. Name: MDT\_BA
- 2. User logon name: MDT\_BA
- 3. Password: P@ssw0rd
- 4. User must change password at next logon: Clear
- 5. User cannot change password: Selected
- 6. Password never expires: Selected
+To create an MDT build account, open an elevalted Windows PowerShell prompt on DC01 and enter the following (copy and paste the entire command, taking care to notice the scroll bar at the bottom). This command will create the MDT_BA user account and set the password to "pass@word1":
-## Create and share the logs folder
+```powershell
+New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+```
+If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
+
+## Create and share the logs folder
By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-1. On MDT01, log on as **CONTOSO\\Administrator**.
-2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+On **MDT01**:
- ``` powershell
- New-Item -Path E:\Logs -ItemType directory
- New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE
- icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
+1. Sign in as **CONTOSO\\administrator**.
+2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+
+ ```powershell
+ New-Item -Path D:\Logs -ItemType directory
+ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
+ icacls D:\Logs /grant '"MDT_BA":(OI)(CI)(M)'
```
-
+See the following example:
-Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell.
+
-## Use CMTrace to read log files (optional)
+## Use CMTrace to read log files (optional)
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read.
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](https://docs.microsoft.com/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
+You can use Notepad (example below):
-Figure 8. An MDT log file opened in Notepad.
+Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
+After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
-Figure 9. The same log file, opened in CMTrace, is much easier to read.
-## Related topics
+## Next steps
-[Key features in MDT](key-features-in-mdt.md)
+When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
-[MDT Lite Touch components](mdt-lite-touch-components.md)
+## Appendix
+
+**Sample files**
+
+The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell.
+- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
+- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
+- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 6c0524658f..c0f5f7d8a1 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,132 +1,120 @@
----
-title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
-ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: reinstallation, customize, template, script, restore
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Refresh a Windows 7 computer with Windows 10
-
-**Applies to**
-- Windows 10
-
-This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version.
-
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
-
-
-
-Figure 1. The machines used in this topic.
-
-## The computer refresh process
-
-Even though a computer will appear, to the end user, to be upgraded, a computer refresh is not, technically, an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation.
-For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
-
-1. Back up data and settings locally, in a backup folder.
-
-2. Wipe the partition, except for the backup folder.
-
-3. Apply the new operating system image.
-
-4. Install other applications.
-
-5. Restore data and settings.
-
-During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
-
->[!NOTE]
->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario.
-
-### Multi-user migration
-
-By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up
-by configuring command-line switches to ScanState (added as rules in MDT).
-
-As an example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
-
->[!NOTE]
->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
-
-### Support for additional settings
-
-In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles
-
-## Create a custom User State Migration Tool (USMT) template
-
-In this section, you learn to migrate additional data using a custom template. You configure the environment to use a custom USMT XML template that will:
-
-1. Back up the **C:\\Data** folder (including all files and folders).
-
-2. Scan the local disk for PDF documents (\*.pdf files) and restore them into the **C:\\Data\\PDF Documents** folder on the destination machine.
- The custom USMT template is named MigContosoData.xml, and you can find it in the sample files for this documentation, which include:
-
- * [Gather script](https://go.microsoft.com/fwlink/p/?LinkId=619361)
- * [Set-OUPermissions](https://go.microsoft.com/fwlink/p/?LinkId=619362) script
- * [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363)
-
-### Add the custom XML template
-
-In order to use the custom MigContosoData.xml USMT template, you need to copy it to the MDT Production deployment share and update the CustomSettings.ini file. In these steps, we assume you have downloaded the MigContosoData.xml file.
-1. Using File Explorer, copy the MigContosoData.xml file to the **E:\\MDTProduction\\Tools\\x64\\USMT5** folder.
-2. Using Notepad, edit the E:\\MDTProduction\\Control\\CustomSettings.ini file. After the USMTMigFiles002=MigUser.xml line add the following line:
-
- ``` syntax
- USMTMigFiles003=MigContosoData.xml
- ```
-3. Save the CustomSettings.ini file.
-
-## Refresh a Windows 7 SP1 client
-
-After adding the additional USMT template and configuring the CustomSettings.ini file to use it, you are now ready to refresh a Windows 7 SP1 client to Windows 10. In these steps, we assume you have a Windows 7 SP1 client named PC0001 in your environment that is ready for a refresh to Windows 10.
-
->[!NOTE]
->MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
-
-### Upgrade (refresh) a Windows 7 SP1 client
-
-1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings:
-
- * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
- * Computer name: <default>
- * Specify where to save a complete computer backup: Do not back up the existing computer
- >[!NOTE]
- >Skip this optional full WIM backup. The USMT backup will still run.
-
-2. Select one or more applications to install: Install - Adobe Reader XI - x86
-
-3. The setup now starts and does the following:
-
- * Backs up user settings and data using USMT.
- * Installs the Windows 10 Enterprise x64 operating system.
- * Installs the added application(s).
- * Updates the operating system via your local Windows Server Update Services (WSUS) server.
- * Restores user settings and data using USMT.
-
-
-
-Figure 2. Starting the computer refresh from the running Windows 7 SP1 client.
-
-## Related topics
-
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-
-[Configure MDT settings](configure-mdt-settings.md)
+---
+title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
+description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: reinstallation, customize, template, script, restore
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Refresh a Windows 7 computer with Windows 10
+
+**Applies to**
+- Windows 10
+
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+
+For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
+
+Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+
+
+The computers used in this topic.
+
+## The computer refresh process
+
+A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
+
+For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will:
+
+1. Back up data and settings locally, in a backup folder.
+2. Wipe the partition, except for the backup folder.
+3. Apply the new operating system image.
+4. Install other applications.
+5. Restore data and settings.
+
+During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data.
+
+>[!NOTE]
+>In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
+
+### Multi-user migration
+
+By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
+
+For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
+
+>[!NOTE]
+>You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
+
+### Support for additional settings
+
+In addition to the command-line switches that control which profiles to migrate, [XML templates](https://docs.microsoft.com/windows/deployment/usmt/understanding-migration-xml-files) control exactly what data is being migrated. You can control data within and outside the user profiles.
+
+### Multicast
+
+Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting.
+
+## Refresh a Windows 7 SP1 client
+
+In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01:
+
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+
+It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
+
+### Upgrade (refresh) a Windows 7 SP1 client
+
+>[!IMPORTANT]
+>Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
+
+1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
+2. Complete the deployment guide using the following settings:
+
+ * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+ * Computer name: <default>
+ * Specify where to save a complete computer backup: Do not back up the existing computer
+ >[!NOTE]
+ >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
+ * Select one or more applications to install: Install - Adobe Reader
+
+ 
+
+4. Setup starts and does the following:
+
+ * Backs up user settings and data using USMT.
+ * Installs the Windows 10 Enterprise x64 operating system.
+ * Installs any added applications.
+ * Updates the operating system using your local Windows Server Update Services (WSUS) server.
+ * Restores user settings and data using USMT.
+
+5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
+
+ 
+
+6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
+
+## Related topics
+
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index f9d1c1f252..1f16c8febd 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -21,68 +21,75 @@ ms.topic: article
**Applies to**
- Windows 10
-A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10; however, because you are replacing a machine, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it.
-For the purposes of this topic, we will use four machines: DC01, MDT01, PC0002, and PC0007. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. PC0002 is an old machine running Windows 7 SP1. It is going to be replaced by a new Windows 10 machine, PC0007. User State Migration Tool (USMT) will be used to backup and restore data and settings. MDT01, PC0002, and PC0007 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
-
+For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007.
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is domain member server that hosts your deployment share.
+- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
+- PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
-Figure 1. The machines used in this topic.
+For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-## Prepare for the computer replace
+
-When preparing for the computer replace, you need to create a folder in which to store the backup, and a backup only task sequence that you run on the old computer.
+The computers used in this topic.
+
+>HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
+
+## Prepare for the computer replace
+
+ To prepare for the computer replace, you need to create a folder in which to store the backup and a backup only task sequence to run on the old computer.
### Configure the rules on the Microsoft Deployment Toolkit (MDT) Production share
-1. On MDT01, using the Deployment Workbench, update the MDT Production deployment share rules.
+On **MDT01**:
-2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab.
+2. Change the **SkipUserData=YES** option to **NO**, and click **OK**.
+3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default setttings.
### Create and share the MigData folder
-1. On MDT01, log on as **CONTOSO\\Administrator**.
+On **MDT01**:
-2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
+1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
``` powershell
- New-Item -Path E:\MigData -ItemType directory
- New-SmbShare -Name MigData$ -Path E:\MigData
- -ChangeAccess EVERYONE
- icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
+ New-Item -Path D:\MigData -ItemType directory
+ New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
+ icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
```
### Create a backup only (replace) task sequence
-3. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
-4. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
* Task sequence ID: REPLACE-001
* Task sequence name: Backup Only Task Sequence
* Task sequence comments: Run USMT to backup user data and settings
* Template: Standard Client Replace Task Sequence
-5. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
+4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
- Figure 2. The Backup Only Task Sequence action list.
+ The Backup Only Task Sequence action list.
-## Perform the computer replace
+## Perform the computer replace
During a computer replace, these are the high-level steps that occur:
1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Window Imaging (WIM) backup.
+2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
-2. On the new machine, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
+### Run the replace task sequence
-### Execute the replace task sequence
+On **PC0002**:
-1. On PC0002, log on as **CONTOSO\\Administrator**.
-
-2. Verify that you have write access to the **\\\\MDT01\\MigData$** share.
-
-3. Execute **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
-
-4. Complete the Windows Deployment Wizard using the following settings:
+1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
+2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+3. Complete the Windows Deployment Wizard using the following settings:
1. Select a task sequence to execute on this computer: Backup Only Task Sequence
* Specify where to save your data and settings: Specify a location
@@ -92,21 +99,24 @@ During a computer replace, these are the high-level steps that occur:
>If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
2. Specify where to save a complete computer backup: Do not back up the existing computer
- 3. Password: P@ssw0rd
- The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the machine.
+ The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
- Figure 3. The new task sequence running the Capture User State action on PC0002.
+ The new task sequence running the Capture User State action on PC0002.
-5. On MDT01, verify that you have an USMT.MIG compressed backup file in the **E:\\MigData\\PC0002\\USMT** folder.
+4. On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
- Figure 4. The USMT backup of PC0002.
+ The USMT backup of PC0002.
-### Deploy the PC0007 virtual machine
+### Deploy the replacement computer
+
+To demonstrate deployment of the replacement computer, HV01 is used to host a virtual machine: PC0007.
+
+On **HV01**:
1. Create a virtual machine with the following settings:
@@ -115,38 +125,40 @@ During a computer replace, these are the high-level steps that occur:
* Generation: 2
* Memory: 2048 MB
* Hard disk: 60 GB (dynamic disk)
+ * Install an operating system from a network-based installation server
-2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The machine will now load the Windows PE boot image from the WDS server.
+2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
- Figure 5. The initial PXE boot process of PC0005.
+ The initial PXE boot process of PC0007.
3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
- * Password: P@ssw0rd
* Select a task sequence to execute on this computer:
* Windows 10 Enterprise x64 RTM Custom Image
* Computer Name: PC0007
- * Applications: Select the Install - Adobe Reader XI - x86 application.
+ * Move Data and Settings: Do not move user data and settings.
+ * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002
+ * Applications: Adobe > Install - Adobe Reader
-4. The setup now starts and does the following:
+4. Setup now starts and does the following:
+ * Partitions and formats the disk.
* Installs the Windows 10 Enterprise operating system.
- * Installs the added application.
+ * Installs the application.
* Updates the operating system via your local Windows Server Update Services (WSUS) server.
* Restores the USMT backup from PC0002.
+You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
+
+
+
## Related topics
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
-
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-
+[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 03899e149e..d54f06dc77 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -37,7 +37,10 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM),
> [!NOTE]
> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
+>[!NOTE]
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Configure Active Directory for BitLocker
@@ -50,7 +53,7 @@ In Windows Server version from 2008 R2 and later, you have access to the BitLock
-Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.
+The BitLocker Recovery information on a computer object in the contoso.com domain.
### Add the BitLocker Drive Encryption Administration Utilities
@@ -69,7 +72,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
-Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.
+Selecting the BitLocker Drive Encryption Administration Utilities.
### Create the BitLocker Group Policy
@@ -103,7 +106,7 @@ In addition to the Group Policy created previously, you need to configure permis
-Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.
+Running the Add-TPMSelfWriteACE.vbs script on DC01.
## Add BIOS configuration tools from Dell, HP, and Lenovo
@@ -161,16 +164,10 @@ In the following task sequence, we added five actions:
## Related topics
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
+[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
new file mode 100644
index 0000000000..38604acbf4
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -0,0 +1,114 @@
+---
+title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
+description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: upgrade, update, task sequence, deploy
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.sitesec: library
+ms.pagetype: mdt
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Perform an in-place upgrade to Windows 10 with MDT
+
+**Applies to**
+- Windows 10
+
+The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+
+>[!TIP]
+>In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
+
+In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
+
+Three computers are used in this topic: DC01, MDT01, and PC0002.
+
+- DC01 is a domain controller for the contoso.com domain
+- MDT01 is a domain member server
+- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
+
+ 
+
+ The computers used in this topic.
+
+>[!NOTE]
+>For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+>If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
+
+## Create the MDT production deployment share
+
+On **MDT01**:
+
+1. Ensure you are signed on as: contoso\administrator.
+2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
+4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
+
+## Add Windows 10 Enterprise x64 (full source)
+
+>If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
+
+On **MDT01**:
+
+1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
+2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
+3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+ - Full set of source files
+ - Source directory: (location of your source files)
+ - Destination directory name: W10EX64RTM
+5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
+
+## Create a task sequence to upgrade to Windows 10 Enterprise
+
+On **MDT01**:
+
+1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
+2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+ - Task sequence ID: W10-X64-UPG
+ - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
+ - Template: Standard Client Upgrade Task Sequence
+ - Select OS: Windows 10 Enterprise x64 RTM Default Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Organization: Contoso
+ - Admin Password: Do not specify an Administrator password at this time
+
+## Perform the Windows 10 upgrade
+
+To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
+
+On **PC0002**:
+
+1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
+2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
+3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
+4. On the **Ready** tab, click **Begin** to start the task sequence.
+ When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+
+
+
+
+
+
+
+
+
+
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
+
+## Related topics
+
+[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/TOC.md b/windows/deployment/deploy-windows-sccm/TOC.md
new file mode 100644
index 0000000000..93aadaebcd
--- /dev/null
+++ b/windows/deployment/deploy-windows-sccm/TOC.md
@@ -0,0 +1,15 @@
+# Deploy Windows 10 with Configuration Manager
+## [Configuration Manager components](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
+### [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+### [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+### [Perform an in-place upgrade to Windows 10 using Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
index 06c696d2c7..5a2a0146fc 100644
--- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md
@@ -86,23 +86,14 @@ Operating system deployment with Configuration Manager is part of the normal sof
**Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
-
-
## See also
-
- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
-
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
-
- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
-
- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
new file mode 100644
index 0000000000..0c75a0f3df
--- /dev/null
+++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-configuration-manager.md
@@ -0,0 +1,80 @@
+---
+title: Deploy Windows 10 with Configuration Manager (Windows 10)
+description: If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10.
+ms.assetid: eacd7b7b-dde0-423d-97cd-29bde9e8b363
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deployment, custom, boot
+ms.prod: w10
+ms.localizationpriority: medium
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10 with Configuration Manager
+
+
+**Applies to**
+
+- Windows 10 versions 1507, 1511
+
+>[!IMPORTANT]
+>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems).
+>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10).
+
+If you have Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT).
+
+For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
+
+
+Figure 1. The machines used in this topic.
+
+## In this section
+
+
+- [Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
+- [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+- [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+- [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+- [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
+- [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+- [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
+- [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+- [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+
+## Components of Configuration Manager operating system deployment
+
+
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
+
+ **Note** Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10.
+
+
+
+## See also
+
+- [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
+- [Windows deployment tools](../windows-deployment-scenarios-and-tools.md)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
+- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx)
+- [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803)
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index adca6df481..8fc3e2cdc1 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -1,49 +1,39 @@
----
-title: Deploy Windows 10 (Windows 10)
-description: Deploying Windows 10 for IT professionals.
-ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
-ms.reviewer:
-manager: laurawi
-ms.audience: itpro
-author: greg-lindsay
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.localizationpriority: medium
-ms.date: 11/06/2018
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Deploy Windows 10
-
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
-
-
-|Topic |Description |
-|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
-
-## Related topics
-
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
-
-
-
-
-
-
+---
+title: Deploy Windows 10 (Windows 10)
+description: Deploying Windows 10 for IT professionals.
+ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
+ms.reviewer:
+manager: laurawi
+ms.audience: itpro
+author: greg-lindsay
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.localizationpriority: medium
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deploy Windows 10
+
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+
+
+|Topic |Description |
+|------|------------|
+|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
+|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with Microsoft Endpoint Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
+
+## Related topics
+
+[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
diff --git a/windows/deployment/images/acroread.png b/windows/deployment/images/acroread.png
new file mode 100644
index 0000000000..142e7b6d74
Binary files /dev/null and b/windows/deployment/images/acroread.png differ
diff --git a/windows/deployment/images/captureimage.png b/windows/deployment/images/captureimage.png
new file mode 100644
index 0000000000..e9ebbf3aad
Binary files /dev/null and b/windows/deployment/images/captureimage.png differ
diff --git a/windows/deployment/images/dart.png b/windows/deployment/images/dart.png
new file mode 100644
index 0000000000..f5c099e9a0
Binary files /dev/null and b/windows/deployment/images/dart.png differ
diff --git a/windows/deployment/images/dc01-cm01-pc0001.png b/windows/deployment/images/dc01-cm01-pc0001.png
new file mode 100644
index 0000000000..f6adafdf15
Binary files /dev/null and b/windows/deployment/images/dc01-cm01-pc0001.png differ
diff --git a/windows/deployment/images/deployment-workbench01.png b/windows/deployment/images/deployment-workbench01.png
new file mode 100644
index 0000000000..c68ee25db1
Binary files /dev/null and b/windows/deployment/images/deployment-workbench01.png differ
diff --git a/windows/deployment/images/downloads.png b/windows/deployment/images/downloads.png
new file mode 100644
index 0000000000..36c45c4a88
Binary files /dev/null and b/windows/deployment/images/downloads.png differ
diff --git a/windows/deployment/images/fig10-unattend.png b/windows/deployment/images/fig10-unattend.png
index a9d2bc16df..54f0b0f86f 100644
Binary files a/windows/deployment/images/fig10-unattend.png and b/windows/deployment/images/fig10-unattend.png differ
diff --git a/windows/deployment/images/fig2-importedos.png b/windows/deployment/images/fig2-importedos.png
index ed72d2ef4d..90cf910c24 100644
Binary files a/windows/deployment/images/fig2-importedos.png and b/windows/deployment/images/fig2-importedos.png differ
diff --git a/windows/deployment/images/fig2-taskseq.png b/windows/deployment/images/fig2-taskseq.png
index 1da70bd6e7..bdd81ddbde 100644
Binary files a/windows/deployment/images/fig2-taskseq.png and b/windows/deployment/images/fig2-taskseq.png differ
diff --git a/windows/deployment/images/fig4-oob-drivers.png b/windows/deployment/images/fig4-oob-drivers.png
index b1f6924665..14d93fb278 100644
Binary files a/windows/deployment/images/fig4-oob-drivers.png and b/windows/deployment/images/fig4-oob-drivers.png differ
diff --git a/windows/deployment/images/fig8-cust-tasks.png b/windows/deployment/images/fig8-cust-tasks.png
index 378215ee2b..3ab40d730a 100644
Binary files a/windows/deployment/images/fig8-cust-tasks.png and b/windows/deployment/images/fig8-cust-tasks.png differ
diff --git a/windows/deployment/images/image-captured.png b/windows/deployment/images/image-captured.png
new file mode 100644
index 0000000000..69c5d5ef15
Binary files /dev/null and b/windows/deployment/images/image-captured.png differ
diff --git a/windows/deployment/images/iso-data.png b/windows/deployment/images/iso-data.png
new file mode 100644
index 0000000000..f188046b7f
Binary files /dev/null and b/windows/deployment/images/iso-data.png differ
diff --git a/windows/deployment/images/mdt-03-fig02.png b/windows/deployment/images/mdt-03-fig02.png
index d0fd979449..934be09dc1 100644
Binary files a/windows/deployment/images/mdt-03-fig02.png and b/windows/deployment/images/mdt-03-fig02.png differ
diff --git a/windows/deployment/images/mdt-03-fig03.png b/windows/deployment/images/mdt-03-fig03.png
index ba1de39aa0..a387923d80 100644
Binary files a/windows/deployment/images/mdt-03-fig03.png and b/windows/deployment/images/mdt-03-fig03.png differ
diff --git a/windows/deployment/images/mdt-03-fig04.png b/windows/deployment/images/mdt-03-fig04.png
index 26600a2036..437531d2f6 100644
Binary files a/windows/deployment/images/mdt-03-fig04.png and b/windows/deployment/images/mdt-03-fig04.png differ
diff --git a/windows/deployment/images/mdt-03-fig05.png b/windows/deployment/images/mdt-03-fig05.png
index 9c44837022..a7b8d6ca2e 100644
Binary files a/windows/deployment/images/mdt-03-fig05.png and b/windows/deployment/images/mdt-03-fig05.png differ
diff --git a/windows/deployment/images/mdt-07-fig01.png b/windows/deployment/images/mdt-07-fig01.png
index b2ccfec334..90635678e8 100644
Binary files a/windows/deployment/images/mdt-07-fig01.png and b/windows/deployment/images/mdt-07-fig01.png differ
diff --git a/windows/deployment/images/mdt-07-fig08.png b/windows/deployment/images/mdt-07-fig08.png
index 66e2969916..2cbfc47271 100644
Binary files a/windows/deployment/images/mdt-07-fig08.png and b/windows/deployment/images/mdt-07-fig08.png differ
diff --git a/windows/deployment/images/mdt-07-fig09.png b/windows/deployment/images/mdt-07-fig09.png
index ce320427ee..245b59072d 100644
Binary files a/windows/deployment/images/mdt-07-fig09.png and b/windows/deployment/images/mdt-07-fig09.png differ
diff --git a/windows/deployment/images/mdt-07-fig10.png b/windows/deployment/images/mdt-07-fig10.png
index 7aff3c2d76..2c61e0eb3d 100644
Binary files a/windows/deployment/images/mdt-07-fig10.png and b/windows/deployment/images/mdt-07-fig10.png differ
diff --git a/windows/deployment/images/mdt-07-fig11.png b/windows/deployment/images/mdt-07-fig11.png
index 905f8bd572..ce70374271 100644
Binary files a/windows/deployment/images/mdt-07-fig11.png and b/windows/deployment/images/mdt-07-fig11.png differ
diff --git a/windows/deployment/images/mdt-07-fig13.png b/windows/deployment/images/mdt-07-fig13.png
index 849949a2f2..dae9bd23b8 100644
Binary files a/windows/deployment/images/mdt-07-fig13.png and b/windows/deployment/images/mdt-07-fig13.png differ
diff --git a/windows/deployment/images/mdt-07-fig14.png b/windows/deployment/images/mdt-07-fig14.png
index cfe7843eeb..788e609cf6 100644
Binary files a/windows/deployment/images/mdt-07-fig14.png and b/windows/deployment/images/mdt-07-fig14.png differ
diff --git a/windows/deployment/images/mdt-07-fig16.png b/windows/deployment/images/mdt-07-fig16.png
index 80e0925a40..995eaa51c7 100644
Binary files a/windows/deployment/images/mdt-07-fig16.png and b/windows/deployment/images/mdt-07-fig16.png differ
diff --git a/windows/deployment/images/mdt-08-fig01.png b/windows/deployment/images/mdt-08-fig01.png
index 7f795c42d4..7e9e650633 100644
Binary files a/windows/deployment/images/mdt-08-fig01.png and b/windows/deployment/images/mdt-08-fig01.png differ
diff --git a/windows/deployment/images/mdt-08-fig02.png b/windows/deployment/images/mdt-08-fig02.png
index 50c97d8d0c..7a0a4a1bbb 100644
Binary files a/windows/deployment/images/mdt-08-fig02.png and b/windows/deployment/images/mdt-08-fig02.png differ
diff --git a/windows/deployment/images/mdt-08-fig14.png b/windows/deployment/images/mdt-08-fig14.png
index 21b358d1f8..4e5626280a 100644
Binary files a/windows/deployment/images/mdt-08-fig14.png and b/windows/deployment/images/mdt-08-fig14.png differ
diff --git a/windows/deployment/images/mdt-10-fig05.png b/windows/deployment/images/mdt-10-fig05.png
index 64c0c4a6ee..8625f2972b 100644
Binary files a/windows/deployment/images/mdt-10-fig05.png and b/windows/deployment/images/mdt-10-fig05.png differ
diff --git a/windows/deployment/images/mdt-10-fig09.png b/windows/deployment/images/mdt-10-fig09.png
index ccdd05f34e..bb5010a93d 100644
Binary files a/windows/deployment/images/mdt-10-fig09.png and b/windows/deployment/images/mdt-10-fig09.png differ
diff --git a/windows/deployment/images/mdt-apps.png b/windows/deployment/images/mdt-apps.png
new file mode 100644
index 0000000000..72ee2268f2
Binary files /dev/null and b/windows/deployment/images/mdt-apps.png differ
diff --git a/windows/deployment/images/mdt-monitoring.png b/windows/deployment/images/mdt-monitoring.png
new file mode 100644
index 0000000000..c49732223a
Binary files /dev/null and b/windows/deployment/images/mdt-monitoring.png differ
diff --git a/windows/deployment/images/mdt-offline-media.png b/windows/deployment/images/mdt-offline-media.png
new file mode 100644
index 0000000000..d81ea4e0d8
Binary files /dev/null and b/windows/deployment/images/mdt-offline-media.png differ
diff --git a/windows/deployment/images/mdt-post-upg.png b/windows/deployment/images/mdt-post-upg.png
new file mode 100644
index 0000000000..f41d2ff32b
Binary files /dev/null and b/windows/deployment/images/mdt-post-upg.png differ
diff --git a/windows/deployment/images/mdt-replace.png b/windows/deployment/images/mdt-replace.png
new file mode 100644
index 0000000000..d731037d38
Binary files /dev/null and b/windows/deployment/images/mdt-replace.png differ
diff --git a/windows/deployment/images/mdt-rules.png b/windows/deployment/images/mdt-rules.png
new file mode 100644
index 0000000000..b01c519635
Binary files /dev/null and b/windows/deployment/images/mdt-rules.png differ
diff --git a/windows/deployment/images/mdt-upgrade-proc.png b/windows/deployment/images/mdt-upgrade-proc.png
new file mode 100644
index 0000000000..07a968aed0
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade-proc.png differ
diff --git a/windows/deployment/images/mdt-upgrade.png b/windows/deployment/images/mdt-upgrade.png
new file mode 100644
index 0000000000..c794526ad5
Binary files /dev/null and b/windows/deployment/images/mdt-upgrade.png differ
diff --git a/windows/deployment/images/mdt.png b/windows/deployment/images/mdt.png
new file mode 100644
index 0000000000..76a00ee065
Binary files /dev/null and b/windows/deployment/images/mdt.png differ
diff --git a/windows/deployment/images/monitor-pc0001.PNG b/windows/deployment/images/monitor-pc0001.PNG
new file mode 100644
index 0000000000..072b9cb58c
Binary files /dev/null and b/windows/deployment/images/monitor-pc0001.PNG differ
diff --git a/windows/deployment/images/office-folder.png b/windows/deployment/images/office-folder.png
new file mode 100644
index 0000000000..722cc4d664
Binary files /dev/null and b/windows/deployment/images/office-folder.png differ
diff --git a/windows/deployment/images/pc0001.png b/windows/deployment/images/pc0001.png
new file mode 100644
index 0000000000..839cd3de54
Binary files /dev/null and b/windows/deployment/images/pc0001.png differ
diff --git a/windows/deployment/images/pc0005-vm-office.png b/windows/deployment/images/pc0005-vm-office.png
new file mode 100644
index 0000000000..bb8e96f5af
Binary files /dev/null and b/windows/deployment/images/pc0005-vm-office.png differ
diff --git a/windows/deployment/images/pc0005-vm.png b/windows/deployment/images/pc0005-vm.png
new file mode 100644
index 0000000000..4b2af635c4
Binary files /dev/null and b/windows/deployment/images/pc0005-vm.png differ
diff --git a/windows/deployment/images/pc0006.png b/windows/deployment/images/pc0006.png
new file mode 100644
index 0000000000..6162982966
Binary files /dev/null and b/windows/deployment/images/pc0006.png differ
diff --git a/windows/deployment/images/thinkstation.png b/windows/deployment/images/thinkstation.png
new file mode 100644
index 0000000000..7a144ec5b3
Binary files /dev/null and b/windows/deployment/images/thinkstation.png differ
diff --git a/windows/deployment/images/upgrademdt-fig1-machines.png b/windows/deployment/images/upgrademdt-fig1-machines.png
deleted file mode 100644
index ef553b6595..0000000000
Binary files a/windows/deployment/images/upgrademdt-fig1-machines.png and /dev/null differ
diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png
index af6c8313e0..9a3ae2b1f5 100644
Binary files a/windows/deployment/media/windows10-deployment-config-manager.png and b/windows/deployment/media/windows10-deployment-config-manager.png differ
diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
deleted file mode 100644
index afb65c8724..0000000000
--- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Change history for Plan for Windows 10 deployment (Windows 10)
-description: This topic lists new and updated topics in the Plan for Windows 10 deployment documentation for Windows 10 and Windows 10 Mobile.
-ms.assetid: 70D9F4F8-F2A4-4FB4-9459-5B2BE7BCAC66
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 07/19/2017
-ms.topic: article
----
-
-# Change history for Plan for Windows 10 deployment
-
-
-This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
-
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic:
-- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md)
-
-## January 2017
-
-| New or changed topic | Description |
-|----------------------|-------------|
-| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips |
-
-## September 2016
-
-| New or changed topic | Description |
-| --- | --- |
-| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) |
-| Windows Update for BusinessSetup and deployment of Windows Update for BusinessIntegration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) |
-
-
-## RELEASE: Windows 10, version 1607
-
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update).
-
-
-## July 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-|[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) |Redirected deprecated content to the [Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md) content. Only Standard User Analyzer and Compatibility Administrator continue to be supported.|
-| [Windows 10 servicing overview](../update/waas-overview.md) | Content on this page was summarized. Detailed content about servicing branches was moved to the [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md) page. |
-
-
-## May 2016
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Deploy Windows 10 in a school](/education/windows/deploy-windows-10-in-a-school) | New|
-
-## December 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
-| [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New |
-
-
-## November 2015
-
-
-| New or changed topic | Description |
-|--------------------------------------------------------------------------------------------------|-------------|
-| [Chromebook migration guide](/education/windows/chromebook-migration-guide) | New |
-| [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New |
-| [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated |
-
-
-
-## Related topics
-
-
-[Change history for What's new in Windows 10](/windows/whats-new/change-history-for-what-s-new-in-windows-10)
-
-[Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 022ac067c8..d57413d357 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -60,7 +60,7 @@ DirectAccess can be used to ensure that the user can login with their domain cre
### Image deployment and drive provisioning considerations
-The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
+The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 6f28178063..dde951580a 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -27,9 +27,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
-- [Deploy Windows 10 with MDT 2013 Update 1](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Deploy Windows 10 with Configuration Manager and MDT 2013 Update 1](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
-- [Upgrade to Windows 10 with MDT 2013 Update 1](../upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 484aa23fe6..0b58c82162 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -53,7 +53,7 @@ For System Center Configuration Manager, Windows 10 support is offered with var
> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require Microsoft Endpoint Configuration Manager current branch for supported management.
-For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
## Management tools
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 7e35245a09..760c0f0182 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
-title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
-description: Learn how to deploy feature updates to your mission critical devices
+title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
+description: Learn how to deploy feature updates to your mission-critical devices
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@@ -8,7 +8,6 @@ itproauthor: jaimeo
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 07/10/2018
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
@@ -21,7 +20,7 @@ ms.topic: article
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
-For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates).
+For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).
Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods:
@@ -32,9 +31,9 @@ You can use Configuration Manager to deploy feature updates to Windows 10 device
- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
-- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
+- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
-If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method.
+If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates.
Use the following information:
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index fa252c9db1..f6f30a2709 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -30,7 +30,7 @@ Deployment status summarizes detailed status into higher-level states to get a q
|Deployment status |Description |
|---------|---------|
|Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. |
-|Progress stalled | he device started the update process, but no progress has been reported in the last 7 days. |
+|Progress stalled | The device started the update process, but no progress has been reported in the last 7 days. |
|Deferred | The device is currently deferring the update process due to Windows Update for Business policies. |
|In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** |
|Update completed | The device has completed the update process. |
@@ -42,7 +42,7 @@ Deployment status summarizes detailed status into higher-level states to get a q
Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status.
-|Detaild status |Description |
+|Detailed status |Description |
|---------|---------|
|Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. |
|Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
@@ -59,7 +59,7 @@ Detailed status provides a detailed stage-level representation of where in the u
|Commit | The device, after a restart, is committing changes relevant to the update. |
|Finalize succeeded | The device has finished final tasks after a restart to apply the update. |
|Update successful | The device has successfully applied the update. |
-|Cancelled | The update was cancelled at some point in the update process. |
+|Cancelled | The update was canceled at some point in the update process. |
|Uninstalled | The update was successfully uninstalled from the device. |
|Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. |
diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md
deleted file mode 100644
index da28265e33..0000000000
--- a/windows/deployment/update/waas-manage-updates-configuration-manager.md
+++ /dev/null
@@ -1,328 +0,0 @@
----
-title: Deploy Windows 10 updates via Microsoft Endpoint Configuration Manager
-description: Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10.
-ms.prod: w10
-ms.mktglfcycl: manage
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager
-
-
-**Applies to**
-
-- Windows 10
-
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-
-
-Microsoft Endpoint Configuration Manager provides maximum control over quality and feature updates for Windows 10. Unlike other servicing tools, Configuration Manager has capabilities that extend beyond servicing, such as application deployment, antivirus management, software metering, and reporting, and provides a secondary deployment method for LTSB clients. Configuration Manager can effectively control bandwidth usage and content distribution through a combination of BranchCache and distribution points. Microsoft encourages organizations currently using Configuration Manager for Windows update management to continue doing so for Windows 10 client computers.
-
-You can use Configuration Manager to service Windows 10 devices in two ways. The first option is to use Windows 10 Servicing Plans to deploy Windows 10 feature updates automatically based on specific criteria, similar to an Automatic Deployment Rule for software updates. The second option is to use a task sequence to deploy feature updates, along with anything else in the installation.
-
->[!NOTE]
->This topic focuses on updating and upgrading Windows 10 after it has already been deployed. To use Configuration Manager to upgrade your systems from the Windows 8.1, Windows 8, or Windows 7 operating system, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager).
-
-## Windows 10 servicing dashboard
-
-The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and other key information about Windows 10 servicing. For details about what each tile on the servicing dashboard represents, see [Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627931.aspx).
-
-For the Windows 10 servicing dashboard to display information, you must adhere to the following requirements:
-
-- **Heartbeat discovery**. Enable heartbeat discovery for the site receiving Windows 10 servicing information. Configuration for heartbeat discovery can be found in Administration\Overview\Hierarchy Configuration\Discovery Methods.
-- **Windows Server Update Service (WSUS)**. Microsoft Endpoint Configuration Manager must have the Software update point site system role added and configured to receive updates from a WSUS 4.0 server with the hotfix KB3095113 installed.
-- **Service connection point**. Add the Service connection point site system role in Online, persistent connection mode.
-- **Upgrade classification**. Select **Upgrade** from the list of synchronized software update classifications.
-
- **To configure Upgrade classification**
-
- 1. Go to Administration\Overview\Site Configuration\Sites, and then select your site from the list.
-
- 2. On the Ribbon, in the **Settings** section, click **Configure Site Components**, and then click **Software Update Point**.
-
- 
-
- 3. In the **Software Update Point Component Properties** dialog box, on the **Classifications** tab, click **Upgrades**.
-
-When you have met all these requirements and deployed a servicing plan to a collection, you’ll receive information on the Windows 10 servicing dashboard.
-
-## Create collections for deployment rings
-
-Regardless of the method by which you deploy Windows 10 feature updates to your environment, you must start the Windows 10 servicing process by creating collections of computers that represent your deployment rings. In this example, you create two collections: **Windows 10 – All Current Branch for Business** and **Ring 4 Broad business users**. You’ll use the **Windows 10 – All Current Branch for Business** collection for reporting and deployments that should go to all CBB clients. You’ll use the **Ring 4 Broad business users** collection as a deployment ring for the first CBB users.
-
->[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
-
-**To create collections for deployment rings**
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Windows 10 – All Current Branch for Business**.
-
-4. Click **Browse** to select the limiting collection, and then click **All Systems**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Query Rule**.
-
-6. Name the rule **CBB Detection**, and then click **Edit Query Statement**.
-
-7. On the **Criteria** tab, click the **New** icon.
-
- 
-
-8. In the **Criterion Properties** dialog box, leave the type as **Simple Value**, and then click **Select**.
-
-9. In the **Select Attribute** dialog box, from the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **OSBranch**, and then click **OK**.
-
- 
-
- >[!NOTE]
- >Configuration Manager discovers clients’ servicing branch and stores that value in the **OSBranch** attribute, which you will use to create collections based on servicing branch. The values in this attribute can be **0 (Current Branch)**, **1 (Current Branch for Business)**, or **2 (Long-Term Servicing Branch)**.
-
-10. Leave **Operator** set to **is equal to**; in the **Value** box, type **1**. Click **OK**.
-
- 
-
-11. Now that the **OSBranch** attribute is correct, verify the operating system version.
-
-12. On the **Criteria** tab, click the **New** icon again to add criteria.
-
-13. In the **Criterion Properties** dialog box, click **Select**.
-
-14. From the **Attribute class** list, select **System Resource**. From the **Attribute** list, select **Operating System Name and Version**, and then click **OK**.
-
- 
-
-15. In the **Value** box, type **Microsoft Windows NT Workstation 10.0**, and then click **OK**.
-
- 
-
-16. In the **Query Statement Properties** dialog box, you see two values. Click **OK**, and then click **OK** again to continue to the Create Device Collection Wizard.
-
-17. Click **Summary**, and then click **Next**.
-
-18. Close the wizard.
-
->[!IMPORTANT]
->Windows Insider PCs are discovered the same way as CB or CBB devices. If you have Windows Insider PCs that you use Configuration Manager to manage, then you should create a collection of those PCs and exclude them from this collection. You can create the membership for the Windows Insider collection either manually or by using a query where the operating system build doesn’t equal any of the current CB or CBB build numbers. You would have to update each periodically to include new devices or new operating system builds.
-
-After you have updated the membership, this new collection will contain all managed clients on the CBB servicing branch. You will use this collection as a limiting collection for future CBB-based collections and the **Ring 4 Broad broad business users** collection. Complete the following steps to create the **Ring 4 Broad business users** device collection, which you’ll use as a CBB deployment ring for servicing plans or task sequences.
-
-1. In the Configuration Manager console, go to Assets and Compliance\Overview\Device Collections.
-
-2. On the Ribbon, in the **Create** group, click **Create Device Collection**.
-
-3. In the Create Device Collection Wizard, in the **name** box, type **Ring 4 Broad business users**.
-
-4. Click **Browse** to select the limiting collection, and then click **Windows 10 – All Current Branch for Business**.
-
-5. In **Membership rules**, click **Add Rule**, and then click **Direct Rule**.
-
-6. In the **Create Direct Membership Rule Wizard** dialog box, click **Next**.
-
-7. In the **Value** field, type all or part of the name of a device to add, and then click **Next**.
-
-8. Select the computer that will be part of the **Ring 4 Broad business users** deployment ring, and then click **Next**.
-
-9. Click **Next**, and then click **Close**.
-
-10. In the **Create Device Collection Wizard** dialog box, click **Summary**.
-
-11. Click **Next**, and then click **Close**.
-
-
-## Use Windows 10 servicing plans to deploy Windows 10 feature updates
-
-There are two ways to deploy Windows 10 feature updates with Microsoft Endpoint Configuration Manager. The first is to use servicing plans, which provide an automated method to update devices consistently in their respective deployment rings, similar to Automatic Deployment Rules for software updates.
-
-**To configure Windows feature updates for CBB clients in the Ring 4 Broad business users deployment ring using a servicing plan**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Windows 10 Servicing, and then click **Servicing Plans**.
-
-2. On the Ribbon, in the **Create** group, click **Create Servicing Plan**.
-
-3. Name the plan **Ring 4 Broad business users Servicing Plan**, and then click **Next**.
-
-4. On the **Servicing Plan page**, click **Browse**. Select the **Ring 4 Broad business users** collection, which you created in the [Create collections for deployment rings](#create-collections-for-deployment-rings) section, click **OK**, and then click **Next**.
-
- >[!IMPORTANT]
- >Microsoft added a new protection feature to Configuration Manager that prevents accidental installation of high-risk deployments such as operating system upgrades on site systems. If you select a collection (All Systems in this example) that has a site system in it, you may receive the following message.
- >
- >
- >
- >For details about how to manage the settings for high-risk deployments in Configuration Manager, see [Settings to manage high-risk deployments for Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt621992.aspx).
-
-5. On the **Deployment Ring** page, select the **Business Ready (Current Branch for Business)** readiness state, leave the delay at **0 days**, and then click **Next**.
-
- Doing so deploys CBB feature updates to the broad business users deployment ring immediately after they are released to CBB.
-
- On the Upgrades page, you specify filters for the feature updates to which this servicing plan is applicable. For example, if you wanted this plan to be only for Windows 10 Enterprise, you could select **Title**, and then type **Enterprise**.
-
-6. For this example, on the **Upgrades** page, click **Next** to leave the criterion blank.
-
-7. On the **Deployment Schedule** page, click **Next** to keep the default values of making the content available immediately and requiring installation by the 7-day deadline.
-
-8. On the **User Experience** page, from the **Deadline behavior** list, select **Software Installation and System restart (if necessary)**. From the **Device restart behavior** list, select **Workstations**, and then click **Next**.
-
- Doing so allows installation and restarts after the 7-day deadline on workstations only.
-
-9. On the **Deployment Package** page, select **Create a new deployment package**. In **Name**, type **CBB Upgrades**, select a share for your package source location, and then click **Next**.
-
- In this example, \\contoso-cm01\Sources\Windows 10 Feature Upgrades is a share on the Configuration Manager server that contains all the Windows 10 feature updates.
-
- 
-
-10. On the **Distribution Points** page, from the **Add** list, select **Distribution Point**.
-
- 
-
- Select the distribution points that serve the clients to which you’re deploying this servicing plan, and then click **OK**.
-
-11. Click **Summary**, click **Next** to complete the servicing plan, and then click **Close**.
-
-
-You have now created a servicing plan for the **Ring 4 Broad business users** deployment ring. By default, this rule is evaluated each time the software update point is synchronized, but you can modify this schedule by viewing the service plan’s properties on the **Evaluation Schedule** tab.
-
-
-
-
-## Use a task sequence to deploy Windows 10 updates
-
-There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
-
-- **LTSB feature updates**. With the LTSB servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
-- **Additional required tasks**. When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you must use task sequences to orchestrate the additional steps. Servicing plans do not have the ability to add steps to their deployments.
-
-Each time Microsoft releases a new Windows 10 build, it releases a new .iso file containing the latest build, as well. Regardless of the scenario that requires a task sequence to deploy the Windows 10 upgrade, the base process is the same. Start by creating an Operating System Upgrade Package in the Configuration Manager console:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages.
-
-2. On the Ribbon, in the **Create** group, click **Add Operating System Upgrade Package**.
-
-3. On the **Data Source** page, type the path of the extracted .iso file of the new version of Windows 10 you’re deploying, and then click **Next**.
-
- In this example, the Windows 10 Enterprise 1607 installation media is deployed to \\contoso-cm01\Sources\Operating Systems\Windows 10 Enterprise\Windows 10 Enterprise - Version 1607.
-
-4. On the **General** page, in the **Name** field, type the name of the folder (**Windows 10 Enterprise - Version 1607** in this example). Set the **Version** to **1607**, and then click **Next**.
-
-5. On the **Summary** page, click **Next** to create the package.
-
-6. On the **Completion** page, click **Close**.
-
-Now that the operating system upgrade package has been created, the content in that package must be distributed to the correct distribution points so that the clients can access the content. Complete the following steps to distribute the package content to distribution points:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Operating System Upgrade Packages, and then select the **Windows 10 Enterprise – Version 1607** software upgrade package.
-
-2. On the Ribbon, in the **Deployment group**, click **Distribute Content**.
-
-3. In the Distribute Content Wizard, on the **General** page, click **Next**.
-
-4. On the **Content Destination** page, click **Add**, and then click **Distribution Point**.
-
-5. In the **Add Distribution Points** dialog box, select the distribution point that will serve the clients receiving this package, and then click **OK**.
-
-6. On the **Content Destination** page, click **Next**.
-
-7. On the **Summary** page, click **Next** to distribute the content to the selected distribution point.
-
-8. On the **Completion** page, click **Close**.
-
-Now that the upgrade package has been created and its contents distributed, create the task sequence that will use it. Complete the following steps to create the task sequence, using the previously created deployment package:
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences.
-
-2. On the Ribbon, in the **Create** group, click **Create Task Sequence**.
-
-3. In the Create Task Sequence Wizard, on the **Create a new task sequence** page, select **Upgrade an operating system from upgrade package**, and then click **Next**.
-
-4. On the **Task Sequence Information** page, in **Task sequence name**, type **Upgrade Windows 10 Enterprise – Version 1607**, and then click **Next**.
-
-5. On the **Upgrade the Windows Operating system** page, click **Browse**, select the deployment package you created in the previous steps, and then click **OK**.
-
-6. Click **Next**.
-
-7. On the **Include Updates** page, select **Available for installation – All software updates**, and then click **Next**.
-
-8. On the **Install Applications** page, click **Next**.
-
-9. On the **Summary** page, click **Next** to create the task sequence.
-
-10. On the **Completion** page, click **Close**.
-
-With the task sequence created, you’re ready to deploy it. If you’re using this method to deploy most of your Windows 10 feature updates, you may want to create deployment rings to stage the deployment of this task sequence, with delays appropriate for the respective deployment ring. In this example, you deploy the task sequence to the **Ring 4 Broad business users collection**.
-
->[!IMPORTANT]
->This process deploys a Windows 10 operating system feature update to the affected devices. If you’re testing, be sure to select the collection to which you deploy this task sequence carefully.
-
-**To deploy your task sequence**
-
-1. In the Configuration Manager console, go to Software Library\Overview\Operating Systems\Task Sequences, and then select the **Upgrade Windows 10 Enterprise – Version 1607** task sequence.
-
-2. On the Ribbon, in the **Deployment** group, click **Deploy**.
-
-3. In the Deploy Software Wizard, on the **General** page, click **Browse**. Select the target collection, click **OK**, and then click **Next**.
-
-4. On the **Deployment Settings** page, for **purpose**, select **Required**, and then click **Next**.
-
-5. On the **Scheduling** page, select the **Schedule when this deployment will become available** check box (it sets the current time by default). For **Assignment schedule**, click **New**.
-
-6. In the **Assignment Schedule** dialog box, click **Schedule**.
-
-7. In the **Custom Schedule** dialog box, select the desired deadline, and then click **OK**.
-
-8. In the **Assignment Schedule** dialog box, click **OK**, and then click **Next**.
-
-9. On the **User Experience** page, in the **When the scheduled assignment time is reached, allow the following activities to be performed outside of the maintenance window** section, select **Software Installation** and **System restart** (if required to complete the installation), and then click **Next**.
-
-10. Use the defaults for the remaining settings.
-
-11. Click **Summary**, and then click **Next** to deploy the task sequence.
-
-12. Click **Close**.
-
-
-## Steps to manage updates for Windows 10
-
-| | |
-| --- | --- |
-|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager (this topic) |
-
-## See also
-
-[Manage Windows as a service using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service)
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Manage device restarts after updates](waas-restart.md)
-
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
index f559f6feee..2d3ffa0e03 100644
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
+++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md
@@ -28,17 +28,16 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
## Proof-of-concept environment
+For the purposes of this topic, we will use three computers: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a domain member server. PC0001 is a computer running Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Prepare for deployment with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md).
-For the purposes of this topic, we will use three machines: DC01, CM01, and PC0001. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+
-
+The computers used in this topic.
-Figure 1. The machines used in this topic.
-
-## Upgrade to Windows 10 with System Center 2012 R2 Configuration Manager
+## Upgrade to Windows 10 with Configuration Manager
-System Center 2012 R2 Configuration Manager SP1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
+System Center 2012 R2 Configuration Manager SP 1 adds support to manage and deploy Windows 10. Although it does not include built-in support to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 to Windows 10, you can build a custom task sequence to perform the necessary tasks.
## Create the task sequence
@@ -114,13 +113,13 @@ Figure 2. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequ
After the task sequence finishes, the computer will be fully upgraded to Windows 10.
-## Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager Current Branch
+## Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager
-With Microsoft Endpoint Configuration Manager Current Branch, new built-in functionality makes it easier to upgrade to Windows 10.
+With Configuration Manager, new built-in functionality makes it easier to upgrade to Windows 10.
**Note**
-For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
+For more details about Configuration Manager, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released.
@@ -150,7 +149,7 @@ Figure 3. The Configuration Manager upgrade task sequence.
### Create a device collection
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of Microsoft Endpoint Configuration Manager client installed.
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0001 machine running Windows 7 SP1, with the next version of Configuration Manager client installed.
1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- General
diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
deleted file mode 100644
index ee85dd816a..0000000000
--- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
-description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
-ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: upgrade, update, task sequence, deploy
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mdt
-audience: itpro
-author: greg-lindsay
-ms.topic: article
----
-
-# Perform an in-place upgrade to Windows 10 with MDT
-
-**Applies to**
-- Windows 10
-
-The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process.
-
-## Proof-of-concept environment
-
-For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0001 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
-
-
-
-Figure 1. The machines used in this topic.
-
-## Set up the upgrade task sequence
-
-MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple.
-
-## Create the MDT production deployment share
-
-The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image:
-
-1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd.
-2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**.
-4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**.
-5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**.
-6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
-7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
-
-## Add Windows 10 Enterprise x64 (full source)
-
-In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the E:\\Downloads\\Windows 10 Enterprise x64 folder.
-
-1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
-2. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
-3. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
- - Full set of source files
- - Source directory: E:\\Downloads\\Windows 10 Enterprise x64
- - Destination directory name: W10EX64RTM
-4. After you add the operating system, in the **Operating Systems / Windows 10** folder, double-click the added operating system name in the **Operating System** node and change the name to the following: **Windows 10 Enterprise x64 RTM Default Image**
-
-
-
-Figure 2. The imported Windows 10 operating system after you rename it.
-
-## Create a task sequence to upgrade to Windows 10 Enterprise
-
-1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
-2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- - Task sequence ID: W10-X64-UPG
- - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
- - Template: Standard Client Upgrade Task Sequence
- - Select OS: Windows 10 Enterprise x64 RTM Default Image
- - Specify Product Key: Do not specify a product key at this time
- - Full Name: Contoso
- - Organization: Contoso
- - Internet Explorer home page: about:blank
- - Admin Password: Do not specify an Administrator Password at this time
-
-
-
-Figure 3. The task sequence to upgrade to Windows 10.
-
-## Perform the Windows 10 upgrade
-
-To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1).
-
-1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
-2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**.
-
- 
-
- Figure 4. Upgrade task sequence.
-
-3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.)
-4. On the **Ready** tab, click **Begin** to start the task sequence.
- When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
-
-
-
-Figure 5. Upgrade from Windows 7 to Windows 10 Enterprise x64 with a task sequence.
-
-After the task sequence completes, the computer will be fully upgraded to Windows 10.
-
-## Related topics
-
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
-
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index cd3a28b0ca..3479b54e9c 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -55,7 +55,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
+Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
@@ -268,7 +268,7 @@ The deployment process for the replace scenario is as follows:
## Related topics
-- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index fc6a392e8f..944908ad16 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -7,7 +7,6 @@ ms.sitesec: library
ms.pagetype: deploy
keywords: deployment, automate, tools, configure, sccm
ms.localizationpriority: medium
-ms.date: 10/11/2017
ms.reviewer:
manager: laurawi
ms.audience: itpro
@@ -446,7 +445,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
- Summary: click **Next**
- Confirmation: click **Finish**
-9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+9. For purposes of this test lab, we will not add applications, such as Microsoft Office, to the deployment share. For information about adding applications, see the [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
10. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
@@ -1074,10 +1073,3 @@ In the Configuration Manager console, in the Software Library workspace under Op
## Related Topics
[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
-
-
-
-
-
-
-
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 516142c42a..31298d382d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,6 +1,6 @@
---
title: Demonstrate Autopilot deployment
-ms.reviewer:
+ms.reviewer:
manager: laurawi
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
@@ -21,20 +21,23 @@ ms.custom: autopilot
**Applies to**
-- Windows 10
+- Windows 10
To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+> [!NOTE]
+> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
-
+
->For a list of terms used in this guide, see the [Glossary](#glossary) section.
+> For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
@@ -83,9 +86,9 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
## Verify support for Hyper-V
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+> If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
@@ -103,9 +106,9 @@ This command works on all operating systems that support Hyper-V, but on Windows
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -119,25 +122,25 @@ To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://
## Create a demo VM
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
-To use Windows Powershell we just need to know two things:
+To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
@@ -149,19 +152,19 @@ The Get-NetAdaper cmdlet is used below to automatically find the network adapter
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
```
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
-### Use Windows PowerShell to create the demo VM
+### Use Windows PowerShell to create the demo VM
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
->[!IMPORTANT]
->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+> [!IMPORTANT]
+> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
@@ -222,13 +225,13 @@ Ensure the VM booted from the installation ISO, click **Next** then click **Inst
->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
- 
+ 
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -240,7 +243,8 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> [!NOTE]
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@@ -292,18 +296,19 @@ Mode LastWriteTime Length Name
PS C:\HWID>
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+> [!NOTE]
+> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
->[!NOTE]
->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+> [!NOTE]
+> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@@ -326,7 +331,7 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@@ -336,8 +341,8 @@ To convert your Intune trial account to a free Premium trial account, navigate t
If you already have company branding configured in Azure Active Directory, you can skip this step.
->[!IMPORTANT]
->Make sure to sign-in with a Global Administrator account.
+> [!IMPORTANT]
+> Make sure to sign-in with a Global Administrator account.
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
@@ -345,8 +350,8 @@ Navigate to [Company branding in Azure Active Directory](https://portal.azure.co
When you are finished, click **Save**.
->[!NOTE]
->Changes to company branding can take up to 30 minutes to apply.
+> [!NOTE]
+> Changes to company branding can take up to 30 minutes to apply.
## Configure Microsoft Intune auto-enrollment
@@ -368,8 +373,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
- >[!NOTE]
- >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+ > [!NOTE]
+ > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
@@ -377,7 +382,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
@@ -385,8 +390,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using MSfB
->[!IMPORTANT]
->If you've already registered your VM (or device) using Intune, then skip this step.
+> [!IMPORTANT]
+> If you've already registered your VM (or device) using Intune, then skip this step.
Optional: see the following video for an overview of the process.
@@ -408,8 +413,8 @@ Click the **Add devices** link to upload your CSV file. A message will appear in
## Create and assign a Windows Autopilot deployment profile
->[!IMPORTANT]
->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+> [!IMPORTANT]
+> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
Pick one:
- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
@@ -417,12 +422,12 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
->[!NOTE]
->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+> [!NOTE]
+> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
->The example above lists both a physical device and a VM. Your list should only include only one of these.
+> The example above lists both a physical device and a VM. Your list should only include only one of these.
To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
@@ -458,7 +463,7 @@ See the following example:
Click on **OK** and then click on **Create**.
->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
#### Assign the profile
@@ -534,8 +539,8 @@ Confirm the profile was successfully assigned to the intended device by checking
->[!IMPORTANT]
->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+> [!IMPORTANT]
+> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
@@ -545,14 +550,14 @@ If you shut down your VM after the last reset, it’s time to start it back up a
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
->[!TIP]
->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> [!TIP]
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
+
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
@@ -570,35 +575,38 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
+
Click **X** when challenged to complete the operation:
-
+
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
+
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+
+> [!NOTE]
+> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click Delete.
-
+
A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
+
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
+
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
+
## Appendix A: Verify support for Hyper-V
@@ -618,9 +626,9 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
In this example, the computer supports SLAT and Hyper-V.
->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
C:>coreinfo -v
@@ -637,7 +645,8 @@ VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-Note: A 64-bit operating system is required to run Hyper-V.
+> [!NOTE]
+> A 64-bit operating system is required to run Hyper-V.
## Appendix B: Adding apps to your profile
@@ -645,10 +654,10 @@ Note: A 64-bit operating system is required to run Hyper-V.
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
-2. The name of the setup executable file
+2. The name of the setup executable file
3. The output folder for the new file
For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
@@ -657,7 +666,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -667,50 +676,51 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+> [!NOTE]
+> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
-
+
Click **OK** to exit.
@@ -720,31 +730,32 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+
You will be able to find your app in your app list:
-
+
#### Assign the app to your Intune profile
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
+> [!NOTE]
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -754,7 +765,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add a Win32 app to Intune.
@@ -768,51 +779,52 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+
Click **OK**.
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
+> [!NOTE]
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -822,7 +834,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -830,7 +842,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index f58d814409..010a4d2420 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -42,6 +42,46 @@ For troubleshooting, key activities to perform are:
- Azure AD join issues. Was the device able to join Azure Active Directory?
- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
+## Troubleshooting Autopilot Device Import
+
+### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"**
+
+This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself, even if completely valid, fails to be decoded.
+
+The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. Powershell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded.
+
+The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding "A"s at the end doesn't change the actual payload data.
+
+To fix this, we'll need to modify the hash, then test the new value, until powershell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".
+
+To test the base64, you can use the following:
+```powershell
+[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("DEVICE HASH"))
+```
+
+So, as an example (this is not a device hash, but it's misaligned unpadded Base64 so it's good for testing):
+```powershell
+[System.Text.Encoding]::ascii.getstring( [System.Convert]::FromBase64String("Q29udG9zbwAAA"))
+```
+
+Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
+
+- Does decoding the hash fail?
+ - Yes: Are the last two characters "="?
+ - Yes: Replace both "=" with a single "A" character, then try again
+ - No: Add another "=" character at the end, then try again
+ - No: That hash is valid
+
+Looping the logic above on the previous example hash, we get the following permutations:
+- Q29udG9zbwAAA
+- Q29udG9zbwAAA=
+- Q29udG9zbwAAA==
+- Q29udG9zbwAAAA
+- Q29udG9zbwAAAA=
+- **Q29udG9zbwAAAA==** (This one has valid padding)
+
+Replace the collected hash with this new padded hash then try to import again.
+
## Troubleshooting Autopilot OOBE issues
If the expected Autopilot behavior does not occur during the out-of-box experience (OOBE), it is useful to see whether the device received an Autopilot profile and what settings that profile contained. Depending on the Windows 10 release, there are different mechanisms available to do that.
diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
index 8fa6e44dc7..3fde86eb4c 100644
--- a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
+++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
@@ -18,12 +18,12 @@ ms.reviewer:
robots: noindex,nofollow
---
+# Microsoft Windows diagnostic data for PowerShell license terms
+
MICROSOFT SOFTWARE LICENSE TERMS
MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
-
-
These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
1. INSTALLATION AND USE RIGHTS.
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 786649ef6a..e4464fdddc 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -161,7 +161,6 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||HTTPS|*.prod.do.dsp.mp.microsoft.com|
-|||HTTP|cs9.wac.phicdn.net|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 3e723fd5a0..7a74412dba 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -37,7 +37,6 @@ sections:
MSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
See details >Resolved January 23, 2020
02:08 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >September 24, 2019
KB4516048Resolved
KB4519976October 08, 2019
10:00 AM PTYou may receive an error when opening or using the Toshiba Qosmio AV Center
Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.
See details >August 13, 2019
KB4512506Resolved
KB4516048September 24, 2019
10:00 AM PTWindows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details >August 13, 2019
KB4512506Resolved External August 27, 2019
02:29 PM PTYou may receive an error when opening or using the Toshiba Qosmio AV Center
Back to topAugust 13, 2019
KB4512506Resolved
KB4516048Resolved:
September 24, 2019
10:00 AM PT
Opened:
September 10, 2019
09:48 AM PT
- "
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 1393cd0b82..28f4b85576 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -50,6 +50,7 @@ sections:
text: "
Details Originating update Status History Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Back to topAugust 13, 2019
KB4512506Resolved External Last updated:
August 27, 2019
02:29 PM PT
Opened:
August 13, 2019
10:05 AM PTMessage Date February 2020 Windows 10, version 1909 and Windows 10, version 1903 \"D\" optional release is available February 27, 2020
01:30 PM PTFebruary 2020 Windows \"C\" optional release is available. February 25, 2020
08:00 AM PTStatus of February 2020 “C” release February 21, 2020
12:00 PM PTCompatibility issue with some Windows Server container images February 13, 2020
03:21 PM PT
uk-v20.events.data.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com |
+> [!NOTE]
+> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server)
+
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index be43f23ee8..fa9b382efb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -114,6 +114,10 @@ Microsoft regularly publishes software updates to improve performance, security,
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
+## macOS kernel and system extensions
+
+In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details.
+
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index a28cd30703..ff425c7895 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
+Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 2fc67b8211..d54f893ac4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -58,7 +58,7 @@ The following is in scope for this project:
capabilities including automatic investigation and remediation
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
-- Use of System Center Configuration Manager to onboard endpoints into the service.
+- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service.
### Out of scope
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 4e93583820..6bed8fc78a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -25,13 +25,13 @@ ms.topic: article
Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
- Tenant configuration
- Network configuration
-- Onboarding using System Center Configuration Manager
+- Onboarding using Microsoft Endpoint Configuration Manager
- Endpoint detection and response
- Next generation protection
- Attack surface reduction
>[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Tenant Configuration
@@ -111,7 +111,7 @@ under:
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- - Set it to **Enabled** and select**Disable Authenticated Proxy usage**
+ - Set it to **Enabled** and select�**Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@@ -205,9 +205,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-## Onboarding using System Center Configuration Manager
+## Onboarding using Microsoft Endpoint Configuration Manager
### Collection creation
-To onboard Windows 10 devices with System Center Configuration Manager, the
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
deployment can target either and existing collection or a new collection can be
created for testing. The onboarding like group policy or manual method does
not install any agent on the system. Within the Configuration Manager console
@@ -217,55 +217,54 @@ maintain that configuration for as long as the Configuration Manager client
continues to receive this policy from the management point. Follow the steps
below to onboard systems with Configuration Manager.
-1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
- 
+ 
2. Right Click **Device Collection** and select **Create Device Collection**.
- 
+ 
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
- 
+ 
4. Select **Add Rule** and choose **Query Rule**.
- 
+ 
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
- 
+ 
6. Select **Criteria** and then choose the star icon.
- 
+ 
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
- 
+ 
8. Select **Next** and **Close**.
- 
+ 
9. Select **Next**.
- 
+ 
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
## Endpoint detection and response
### Windows 10
From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
+the '.onboarding' policy that can be used to create the policy in Microsoft Endpoint Configuration Manager and deploy that policy to Windows 10 devices.
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-2. Under Deployment method select the supported version of **System Center Configuration Manager**.
+2. Under Deployment method select the supported version of **Configuration Manager**.
@@ -274,15 +273,15 @@ Manager and deploy that policy to Windows 10 devices.
4. Save the package to an accessible location.
-5. In System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+5. In Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
- 
+ 
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
- 
+ 
8. Click **Browse**.
@@ -305,7 +304,7 @@ Manager and deploy that policy to Windows 10 devices.
15. Click **Close** when the Wizard completes.
-16. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+16. In the Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
@@ -371,14 +370,14 @@ Specifically, for Windows 7 SP1, the following patches must be installed:
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
-To deploy the MMA with System Center Configuration Manager, follow the steps
+To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
below to utilize the provided batch files to onboard the systems. The CMD file
when executed, will require the system to copy files from a network share by the
System, the System will install MMA, Install the DependencyAgent, and configure
MMA for enrollment into the workspace.
-1. In System Center Configuration Manager console, navigate to **Software
+1. In the Configuration Manager console, navigate to **Software
Library**.
2. Expand **Application Management**.
@@ -387,15 +386,15 @@ MMA for enrollment into the workspace.
4. Provide a Name for the package, then click **Next**
- 
+ 
5. Verify **Standard Program** is selected.
- 
+ 
6. Click **Next**.
- 
+ 
7. Enter a program name.
@@ -411,17 +410,17 @@ MMA for enrollment into the workspace.
13. Click **Next**.
- 
+ 
14. Verify the configuration, then click **Next**.
- 
+ 
15. Click **Next**.
16. Click **Close**.
-17. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
+17. In the Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
@@ -431,7 +430,7 @@ MMA for enrollment into the workspace.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
@@ -481,9 +480,9 @@ Protection. All these features provide an audit mode and a block mode. In audit
To set ASR rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Attack Surface Reduction**.
@@ -491,26 +490,26 @@ To set ASR rules in Audit mode:
3. Set rules to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard policy by clicking on **Next**.
- 
+ 
5. Once the policy is created click **Close**.
- 
+ 
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Target the policy to the newly created Windows 10 collection and click **OK**.
- 
+ 
After completing this task, you now have successfully configured ASR rules in audit mode.
@@ -541,15 +540,15 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
### To set Network Protection rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Network protection**.
3. Set the setting to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard Policy by clicking **Next**.
@@ -561,42 +560,42 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
- 
+ 
After completing this task, you now have successfully configured Network
Protection in audit mode.
### To set Controlled Folder Access rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Controlled folder access**.
3. Set the configuration to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
- 
+ 
5. Once the policy is created click on **Close**.
- 
+ 
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Target the policy to the newly created Windows 10 collection and click **OK**.
- 
+ 
After completing this task, you now have successfully configured Controlled folder access in audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 9f6f5b45c6..14398b7265 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,15 +18,19 @@ ms.topic: article
---
# Threat & Vulnerability Management scenarios
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Before you begin
+
Ensure that your machines:
+
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
@@ -47,15 +51,18 @@ Ensure that your machines:
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
+
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
+
- 0–29: low exposure score
- 30–69: medium exposure score
- 70–100: high exposure score
@@ -65,15 +72,19 @@ You can remediate the issues based on prioritized security recommendations to re
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
-
- >>
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
+ There are two types of recommendations:
+
+ - *Security update* which refers to recommendations that require a package installation
+ - *Configuration change* which refers to recommendations that require a registry or GPO modification
+
+ Always prioritize recommendations that are associated with ongoing threats:
+
+ -  Threat insight icon
+ -  Active alert icon
+
+ >
+
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
@@ -81,13 +92,13 @@ To lower down your threat and vulnerability exposure:
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
5. Allow a few hours for the changes to propagate in the system.
-
+
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Improve your security configuration
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md).
+> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md).
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
@@ -95,14 +106,15 @@ You can improve your security configuration when you remediate issues from the s
>
-2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
- >.
+ >.
- >You will see a confirmation message that the remediation task has been created.
+ You will see a confirmation message that the remediation task has been created.
>
4. Save your CSV file.
@@ -113,6 +125,7 @@ You can improve your security configuration when you remediate issues from the s
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
## Request a remediation
+
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
@@ -134,6 +147,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
+
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
@@ -142,7 +156,6 @@ Exceptions can be created for both *Security update* and *Configuration change*
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-
1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
@@ -157,10 +170,10 @@ When an exception is created for a recommendation, the recommendation is no long
5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-
+6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
+
-## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
+## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane.
@@ -169,38 +182,41 @@ When an exception is created for a recommendation, the recommendation is no long
3. Enter the following queries:
```kusto
-// Search for machines with High active alerts or Critical CVE public exploit
-DeviceTvmSoftwareInventoryVulnerabilities
-| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
+// Search for machines with High active alerts or Critical CVE public exploit
+DeviceTvmSoftwareInventoryVulnerabilities
+| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
-| summarize NumOfVulnerabilities=dcount(CveId),
-DeviceName=any(DeviceName) by DeviceId
+| summarize NumOfVulnerabilities=dcount(CveId),
+DeviceName=any(DeviceName) by DeviceId
| join kind =inner(DeviceAlertEvents) on DeviceId
-| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
-DeviceName=any(DeviceName) by DeviceId, AlertId
+| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
+DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
-| order by NumOfVulnerabilities desc
+| order by NumOfVulnerabilities desc
```
-## Conduct an inventory of software or software versions which have reached their end-of-life
-End-of-life for software or software versions means that they will no longer be supported nor serviced. When you use software or software versions which have reached their end-of-life, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+## Conduct an inventory of software or software versions which have reached end-of-support (EOS)
-It is crucial for you as Security and IT Administrators to work together and ensure that your organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+
+It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+
+To conduct an inventory of software or software versions which have reached end-of-support:
-To conduct an inventory of software or software versions which have reached their end of life:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
-2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options if you want to see the list of software recommendations associated with software which have reached their end-of-life (tagged as **EOL software**). Select **Software update** from **Remediation Type** options if you want to see the list of software recommendations associated with software and software versions which have reached their end-of-life (tagged as **EOL versions installed**).
-3. Select a software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
-
+2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**).
+3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**).
+4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
+
-4. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-life, and how many vulnerabilities were discovered in it.
-
-
-After you have identified which software and software versions are vulnerable due to its end-of-life status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
+5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it.
+
+After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Related topics
+
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index aa2f21d63e..e64f5c502c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -81,7 +81,10 @@ Learn more at https://www.cyren.com/products/url-filtering.
### Signing up for a Cyren License
-Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+
+>[!NOTE]
+>Make sure to add the URL you get redirected to by the signup process to the list of approved domains.
>[!NOTE]
>A user with AAD app admin/global admin permissions is required to complete these steps.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 6c817499da..97a45e8794 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -1,8 +1,8 @@
---
-title: Configure Windows Defender Antivirus exclusions on Windows Server 2016
+title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019
ms.reviewer:
manager: dansimp
-description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
+description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -22,48 +22,47 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
+Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
+> [!NOTE]
+> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-Custom exclusions take precedence over automatic exclusions.
+## A few points to keep in mind
-> [!TIP]
-> Custom and duplicate exclusions do not conflict with automatic exclusions.
+- Custom exclusions take precedence over automatic exclusions.
-Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
+- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+
+- Custom and duplicate exclusions do not conflict with automatic exclusions.
+
+- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
-In Windows Server 2016, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in Security intelligence updates.
+In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
-> [!NOTE]
-> This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
-
-> [!TIP]
-> Since the predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path *different than the original one*, you would have to manually add the exclusions using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-windows-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**.
-4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**.
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
-**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the following cmdlets:
@@ -71,11 +70,13 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true
```
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md).
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016
+[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
+
+Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
@@ -85,212 +86,221 @@ See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
## List of automatic exclusions
+
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
### Default exclusions for all roles
-This section lists the default exclusions for all Windows Server 2016 roles.
-- Windows "temp.edb" files:
+This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
- - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+#### Windows "temp.edb" files
- - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
-- Windows Update files or Automatic Update files:
+- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+#### Windows Update files or Automatic Update files
- - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
-- Windows Security files:
+- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- - *%windir%*\Security\database\\*.chk
+#### Windows Security files
- - *%windir%*\Security\database\\*.edb
+- *%windir%*\Security\database\\*.chk
- - *%windir%*\Security\database\\*.jrs
+- *%windir%*\Security\database\\*.edb
- - *%windir%*\Security\database\\*.log
+- *%windir%*\Security\database\\*.jrs
- - *%windir%*\Security\database\\*.sdb
+- *%windir%*\Security\database\\*.log
-- Group Policy files:
+- *%windir%*\Security\database\\*.sdb
- - *%allusersprofile%*\NTUser.pol
+#### Group Policy files
- - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+- *%allusersprofile%*\NTUser.pol
- - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
-- WINS files:
+- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- - *%systemroot%*\System32\Wins\\*\\\*.chk
+#### WINS files
- - *%systemroot%*\System32\Wins\\*\\\*.log
+- *%systemroot%*\System32\Wins\\*\\\*.chk
- - *%systemroot%*\System32\Wins\\*\\\*.mdb
+- *%systemroot%*\System32\Wins\\*\\\*.log
- - *%systemroot%*\System32\LogFiles\
+- *%systemroot%*\System32\Wins\\*\\\*.mdb
- - *%systemroot%*\SysWow64\LogFiles\
+- *%systemroot%*\System32\LogFiles\
-- File Replication Service (FRS) exclusions:
+- *%systemroot%*\SysWow64\LogFiles\
- - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+#### File Replication Service (FRS) exclusions
- - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+ - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- - *%windir%*\Ntfrs\jet\log\\*\\\*.log
+ - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+ - *%windir%*\Ntfrs\jet\log\\*\\\*.log
- -*%windir%*\Ntfrs\\*\Edb\*.log
+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+ - *%windir%*\Ntfrs\\*\Edb\*.log
- - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+ - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+ - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- > [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+ > [!NOTE]
+ > For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus#opt-out-of-automatic-exclusions).
- - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+ - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- - *%systemdrive%*\System Volume Information\DFSR\\*.XML
+ - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+ - *%systemdrive%*\System Volume Information\DFSR\\*.XML
- - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+ - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- - *%systemdrive%*\System Volume Information\DFSR\\*.frx
+ - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- - *%systemdrive%*\System Volume Information\DFSR\\*.log
+ - *%systemdrive%*\System Volume Information\DFSR\\*.frx
- - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+ - *%systemdrive%*\System Volume Information\DFSR\\*.log
- - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+ - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
-- Process exclusions
+ - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- - *%systemroot%*\System32\dfsr.exe
+#### Process exclusions
- - *%systemroot%*\System32\dfsrs.exe
+- *%systemroot%*\System32\dfsr.exe
-- Hyper-V exclusions:
+- *%systemroot%*\System32\dfsrs.exe
- - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+#### Hyper-V exclusions
- - File type exclusions:
+This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- - *.vhd
+- File type exclusions:
- - *.vhdx
+ - *.vhd
- - *.avhd
+ - *.vhdx
- - *.avhdx
+ - *.avhd
- - *.vsv
+ - *.avhdx
- - *.iso
+ - *.vsv
- - *.rct
+ - *.iso
- - *.vmcx
+ - *.rct
- - *.vmrs
+ - *.vmcx
- - Folder exclusions:
+ - *.vmrs
- - *%ProgramData%*\Microsoft\Windows\Hyper-V
+- Folder exclusions:
- - *%ProgramFiles%*\Hyper-V
+ - *%ProgramData%*\Microsoft\Windows\Hyper-V
- - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+ - *%ProgramFiles%*\Hyper-V
- - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+ - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- - Process exclusions:
+ - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- - *%systemroot%*\System32\Vmms.exe
+- Process exclusions:
- - *%systemroot%*\System32\Vmwp.exe
+ - *%systemroot%*\System32\Vmms.exe
-- SYSVOL files:
+ - *%systemroot%*\System32\Vmwp.exe
- - *%systemroot%*\Sysvol\Domain\\*.adm
+#### SYSVOL files
- - *%systemroot%*\Sysvol\Domain\\*.admx
+- *%systemroot%*\Sysvol\Domain\\*.adm
- - *%systemroot%*\Sysvol\Domain\\*.adml
+- *%systemroot%*\Sysvol\Domain\\*.admx
- - *%systemroot%*\Sysvol\Domain\Registry.pol
+- *%systemroot%*\Sysvol\Domain\\*.adml
- - *%systemroot%*\Sysvol\Domain\\*.aas
+- *%systemroot%*\Sysvol\Domain\Registry.pol
- - *%systemroot%*\Sysvol\Domain\\*.inf
+- *%systemroot%*\Sysvol\Domain\\*.aas
- - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+- *%systemroot%*\Sysvol\Domain\\*.inf
- - *%systemroot%*\Sysvol\Domain\\*.ins
+- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- - *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+- *%systemroot%*\Sysvol\Domain\\*.ins
+
+- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
### Active Directory exclusions
+
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
-- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+#### NTDS database files
- - %windir%\Ntds\ntds.dit
+The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- - %windir%\Ntds\ntds.pat
+- %windir%\Ntds\ntds.dit
-- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
+- %windir%\Ntds\ntds.pat
- - %windir%\Ntds\EDB*.log
+#### The AD DS transaction log files
- - %windir%\Ntds\Res*.log
+The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- - %windir%\Ntds\Edb*.jrs
+- %windir%\Ntds\EDB*.log
- - %windir%\Ntds\Ntds*.pat
+- %windir%\Ntds\Res*.log
- - %windir%\Ntds\EDB*.log
+- %windir%\Ntds\Edb*.jrs
- - %windir%\Ntds\TEMP.edb
+- %windir%\Ntds\Ntds*.pat
-- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+- %windir%\Ntds\EDB*.log
- - %windir%\Ntds\Temp.edb
+- %windir%\Ntds\TEMP.edb
- - %windir%\Ntds\Edb.chk
+#### The NTDS working folder
-- Process exclusions for AD DS and AD DS-related support files:
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- - %systemroot%\System32\ntfrs.exe
+- %windir%\Ntds\Temp.edb
- - %systemroot%\System32\lsass.exe
+- %windir%\Ntds\Edb.chk
+
+#### Process exclusions for AD DS and AD DS-related support files
+
+- %systemroot%\System32\ntfrs.exe
+
+- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
@@ -310,19 +320,19 @@ This section lists the exclusions that are delivered automatically when you inst
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
-- File and folder exclusions for the DNS Server role:
+#### File and folder exclusions for the DNS Server role
- - *%systemroot%*\System32\Dns\\*\\\*.log
+- *%systemroot%*\System32\Dns\\*\\\*.log
- - *%systemroot%*\System32\Dns\\*\\\*.dns
+- *%systemroot%*\System32\Dns\\*\\\*.dns
- - *%systemroot%*\System32\Dns\\*\\\*.scc
+- *%systemroot%*\System32\Dns\\*\\\*.scc
- - *%systemroot%*\System32\Dns\\*\BOOT
+- *%systemroot%*\System32\Dns\\*\BOOT
-- Process exclusions for the DNS Server role:
+#### Process exclusions for the DNS Server role
- - *%systemroot%*\System32\dns.exe
+- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
@@ -338,43 +348,45 @@ This section lists the file and folder exclusions that are delivered automatical
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
-- File type exclusions:
+#### File type exclusions
- - *.shd
+- *.shd
- - *.spl
+- *.spl
-- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+#### Folder exclusions
- - *%system32%*\spool\printers\\*
+This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
-- Process exclusions:
+- *%system32%*\spool\printers\\*
- - spoolsv.exe
+#### Process exclusions
+
+- spoolsv.exe
### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
-- Folder exclusions:
+#### Folder exclusions
- - *%SystemRoot%*\IIS Temporary Compressed Files
+- *%SystemRoot%*\IIS Temporary Compressed Files
- - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- - *%systemDrive%*\inetpub\logs
+- *%systemDrive%*\inetpub\logs
- - *%systemDrive%*\inetpub\wwwroot
+- *%systemDrive%*\inetpub\wwwroot
-- Process exclusions:
+#### Process exclusions
- - *%SystemRoot%*\system32\inetsrv\w3wp.exe
+- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- - *%SystemDrive%*\PHP5433\php-cgi.exe
+- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
@@ -391,7 +403,11 @@ This section lists the folder exclusions that are delivered automatically when y
## Related articles
- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
new file mode 100644
index 0000000000..9376fba47e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
index f9ef1da5f7..d9664338fe 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png and b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
new file mode 100644
index 0000000000..77a5c15cf1
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
@@ -0,0 +1,87 @@
+---
+title: "Better together - Windows Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
+description: "Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more."
+keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.topic: article
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 03/04/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Better together: Windows Defender Antivirus and Office 365
+
+**Applies to:**
+
+- Windows Defender Antivirus
+- Office 365
+
+You might already know that:
+
+- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
+- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
+
+- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
+
+**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two:
+
+ 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
+
+ 2. [Integration means better protection](#integration-means-better-protection).
+
+Read the following sections to learn more.
+
+## Ransomware protection and recovery
+
+When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
+
+1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.)
+
+2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+
+3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
+
+Think of the time and hassle this can save.
+
+## Integration means better protection
+
+Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how:
+
+- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
+
+ AND
+
+- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
+
+ SO
+
+- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
+
+## More good reasons to use OneDrive
+
+Protection from ransomware is one great reason to put your files in OneDrive. And there are several more good reasons, summarized in this video:
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/70b4d256-46fb-481f-ad9b-921ef5fd7bed]
+
+## Want to learn more?
+
+[OneDrive](https://docs.microsoft.com/onedrive)
+
+[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+
+[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/)
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 3dd89a2653..52966241d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -87,9 +87,9 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
-1. Make sure your organization meets all of the following requirements:
+1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
index 9ba7a43bf9..9c284e75a0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection
-description: For best results, use Windows Defender Antivirus together with your other Microsoft offerings.
+title: "Why you should use Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection"
+description: "For best results, use Windows Defender Antivirus together with your other Microsoft offerings."
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 1dcff86fe3..6ff0b08f83 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -57,8 +57,14 @@ By default, Windows Defender Antivirus is installed and functional on Windows Se
2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.
+In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
+
+In Windows Server 2019, the **Add Roles and Feature Wizard** looks like this:
+
+
+
### Turn on the GUI using PowerShell
The following PowerShell cmdlet will enable the interface:
@@ -69,7 +75,7 @@ Install-WindowsFeature -Name Windows-Defender-GUI
## Install Windows Defender Antivirus on Windows Server 2016 or 2019
-You can use the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus.
+You can use either the **Add Roles and Features Wizard** or PowerShell to install Windows Defender Antivirus.
### Use the Add Roles and Features Wizard
@@ -79,12 +85,13 @@ You can use the **Add Roles and Features Wizard** or PowerShell to install Windo
### Use PowerShell
+To use PowerShell to install Windows Defender Antivirus, run the following cmdlet:
+
```PowerShell
Install-WindowsFeature -Name Windows-Defender
```
-> [!TIP]
-> Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
+Event messages for the antimalware engine included with Windows Defender Antivirus can be found in [Windows Defender AV Events](troubleshoot-windows-defender-antivirus.md).
## Verify Windows Defender Antivirus is running
@@ -132,17 +139,22 @@ The following table lists the services for Windows Defender Antivirus and the de
|Service Name|File Location|Description|
|--------|---------|--------|
-|Windows Defender Service (Windefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
## Submit samples
-To submit a file, review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide), and then visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission)
-
Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+### Submit a file
+
+1. Review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+
+2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file.
+
+
### Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
@@ -158,7 +170,7 @@ To enable automatic sample submission, start a Windows PowerShell console as an
To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019.
-See [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
+See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
## Need to uninstall Windows Defender Antivirus?
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 1accae5758..484dd83dc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -219,7 +219,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Deploy catalog files with Microsoft Endpoint Configuration Manager
-As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
@@ -294,7 +294,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Inventory catalog files with Microsoft Endpoint Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
@@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.