Use the DisableSettingsImportNotify parameter to disable notification.| |`Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify`|Configures the UE-V service to notify the current user when settings synchronization is delayed.
Use the DisableSettingsImportNotify parameter to disable notification.| - |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| - |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| |`Set-UevConfiguration -Computer -DisableSync`|Disables UE-V for all the users on the computer.
Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -CurrentComputerUser -DisableSync`|Disables UE-V for the current user on the computer.
Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -Computer -EnableTrayIcon`|Enables the UE-V icon in the notification area for all users of the computer.
Use the DisableTrayIcon parameter to disable the icon.| @@ -97,7 +97,7 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m |`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration`
`$config. `$config.Put()`|Updates a specific per-computer setting. To clear the setting, use $null as the setting value.|
|`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration` `$config. `$config.Put()`|Updates a specific per-user setting for all users of the computer. To clear the setting, use $null as the setting value.|
-When you are finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations.
+When you're finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations.
`\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index eaa34a41eb..2716fc1659 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -21,7 +21,7 @@ In the lifecycle of a User Experience Virtualization (UE-V) deployment, you migh
- Migration of a settings storage location share from a test server to a production server
-Simply copying the files and folders does not preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share.
+Simply copying the files and folders doesn't preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share.
**To preserve UE-V settings packages when you migrate to a new server**
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index 81cf471c17..f44d3f47be 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -29,7 +29,7 @@ Whether you want to synchronize settings for only default Windows applications o
- [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers
-If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you'll need to install and configure these optional additional UE-V features:
+If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional extra UE-V features:
[Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md)
@@ -90,13 +90,13 @@ When you enable the UE-V service on user devices, it registers a default group o
| Microsoft Office 2016 applications | Microsoft Access 2016 This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment. Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.|
-| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring. The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed. This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization. Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
+| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring. The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed. If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
+> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
+
+## Automated deployment ring remediation functions
+
+Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
+
+- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
+- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md).
+
+There are two automated deployment ring remediation functions:
+
+| Function | Description |
+| ----- | ----- |
+| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). |
+| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.|
+
+> [!IMPORTANT]
+> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index e58e36cbfd..c7c96c2575 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 05/30/2022
+ms.date: 08/08/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
-To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
+To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
| Policy | Description |
| ----- | ----- |
@@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
-Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings).
+Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings).
:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline":::
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 29d2234dde..54b36ea6ce 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
- ms.date: 07/06/2022
+ ms.date: 08/08/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -96,9 +96,9 @@ sections:
- question: Can you customize the scheduling of an update rollout to only install on certain days and times?
answer: |
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
- - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership?
+ - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
answer: |
- Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings).
+ Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
- question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
answer: |
The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 2f4d13cfe0..abbe0e525e 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 06/30/2022
+ms.date: 08/04/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -41,7 +41,6 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol
The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
-- x64 architecture
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
@@ -51,8 +50,9 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported
Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
-- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview).
-- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths).
-- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
-- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
-- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
+- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled:
+ - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
+ - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
+ - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
+
+For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index aa38fc4f08..be054e388b 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -323,24 +323,8 @@
- name: Access Control Overview
href: identity-protection/access-control/access-control.md
items:
- - name: Dynamic Access Control Overview
- href: identity-protection/access-control/dynamic-access-control.md
- - name: Security identifiers
- href: identity-protection/access-control/security-identifiers.md
- - name: Security Principals
- href: identity-protection/access-control/security-principals.md
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- - name: Active Directory Accounts
- href: identity-protection/access-control/active-directory-accounts.md
- - name: Microsoft Accounts
- href: identity-protection/access-control/microsoft-accounts.md
- - name: Service Accounts
- href: identity-protection/access-control/service-accounts.md
- - name: Active Directory Security Groups
- href: identity-protection/access-control/active-directory-security-groups.md
- - name: Special Identities
- href: identity-protection/access-control/special-identities.md
- name: User Account Control
href: identity-protection/user-account-control/user-account-control-overview.md
items:
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
deleted file mode 100644
index 404f1abb50..0000000000
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ /dev/null
@@ -1,621 +0,0 @@
----
-title: Active Directory Accounts (Windows 10)
-description: Active Directory Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 08/23/2019
----
-
-# Active Directory Accounts
-
-**Applies to**
-- Windows Server 2016
-
-Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory.
-
-This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md).
-
-## About this topic
-
-
-This topic describes the following:
-
-- [Default local accounts in Active Directory](#sec-ad-default-accounts)
-
- - [Administrator account](#sec-administrator)
-
- - [Guest account](#sec-guest)
-
- - [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant)
-
- - [KRBTGT account](#sec-krbtgt)
-
-- [Settings for default local accounts in Active Directory](#sec-account-settings)
-
-- [Manage default local accounts in Active Directory](#sec-manage-local-accounts)
-
-- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts)
-
- - [Separate administrator accounts from user accounts](#task1-separate-admin-accounts)
-
- - [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations)
-
- - [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon)
-
- - [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation)
-
-- [Secure and manage domain controllers](#sec-secure-manage-dcs)
-
-## Default local accounts in Active Directory
-
-
-Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server.
-
-You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
-
-The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
-
-Primarily, default local accounts do the following:
-
-- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
-
-- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource.
-
-- Audit the actions that are carried out on a user account.
-
-In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
-
-Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md).
-
-A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below.
-
-Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings.
-
-This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts.
-
-## Administrator account
-
-
-The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled.
-
-The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions.
-
-**Account group membership**
-
-The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic.
-
-The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups.
-
-**Security considerations**
-
-After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings.
-
-The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode.
-
-On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
-
-> [!NOTE]
-> When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
-
-When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
-
-**Administrator account attributes**
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-` Guests|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out, but we do not recommend it.|
-|Safe to delegate management of this group to non-Service admins?|No|
-
-
-
-## KRBTGT account
-
-
-The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.
-
-KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.
-
-Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC.
-
-### KRBTGT account maintenance considerations
-
-A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
-
-Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
-
-After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
-
-### Security considerations
-
-It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password.
-
-An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort.
-
-The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected.
-
-For all account types (users, computers, and services)
-
-- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid.
-
-- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate.
-
-- NTLM authenticated connections are not affected
-
-Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
-
-> [!IMPORTANT]
-> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
-
-For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
-
-### Read-only domain controllers and the KRBTGT account
-
-Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
-
-After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
-
-### KRBTGT account attributes
-
-For details about the KRBTGT account attributes, see the following table.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-` Global groups from any domain in the same forest Other Universal groups from any domain in the same forest|Can be converted to Domain Local scope if the group is not a member of any other Universal groups Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest Domain Local groups in the same forest or trusting forests Local groups on computers in the same forest or trusting forests|
-|Global|Accounts from the same domain Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest Other Global groups from the same domain Domain Local groups from any domain in the same forest, or from any trusting domain|
-|Domain Local|Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain Universal groups from any domain in the same forest Other Domain Local groups from the same domain Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs|
-
-### Special identity groups
-
-Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User.
-
-For information about all the special identity groups, see [Special Identities](special-identities.md).
-
-## Default security groups
-
-
-Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles.
-
-Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain.
-
-When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources.
-
-Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains.
-
-Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings.
-
-The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts.
-
-### Active Directory default security groups by operating system version
-
-The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system.
-
-|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2|
-|--- |--- |--- |--- |--- |
-|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes||
-|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes|
-|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes|
-|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes|
-|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes|
-|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes|
-|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes||
-|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes|
-|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes|
-|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes|
-|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes|
-|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes|
-|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes|
-|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes|
-|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes|
-|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes|
-|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes|
-|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes|
-|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes|
-|[Enterprise Key Admins](#enterprise-key-admins)|Yes||||
-|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes|
-|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes|
-|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes|
-|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes|
-|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes||
-|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes|
-|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes|
-|[Key Admins](#key-admins)|Yes||||
-|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes|
-|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes|
-|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes|
-|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes|
-|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes|
-|[Protected Users](#bkmk-protectedusers)|Yes|Yes|||
-|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes|
-|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes||
-|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes||
-|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes||
-|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes|
-|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes|
-|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes||
-|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes|
-|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes|
-|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes|
-|[Storage Replica Administrators](#storage-replica-administrators)|Yes||||
-|[System Managed Accounts Group](#system-managed-accounts-group)|Yes||||
-|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes|
-|[Users](#bkmk-users)|Yes|Yes|Yes|Yes|
-|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes|
-|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes||
-
-### Access Control Assistance Operators
-
-Members of this group can remotely query authorization attributes and permissions for resources on the computer.
-
-The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-579|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Account Operators
-
-The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers.
-
-Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights.
-
-The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
-
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-548|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-
-
-### Administrators
-
-Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain.
-
-The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups.
-
-Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
-
-
-
-This security group includes the following changes since Windows Server 2008:
-
-- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services).
-
-- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-544|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|Administrator, Domain Admins, Enterprise Admins|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege|
-
-### Allowed RODC Password Replication Group
-
-The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group.
-
-The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-571|
-|Type|Domain local|
-|Default container|CN=Users DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Backup Operators
-
-Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators.
-
-The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-551|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-
-
-### Certificate Service DCOM Access
-
-Members of this group are allowed to connect to certification authorities in the enterprise.
-
-The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-<domain>-574|
-|Type|Domain Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Cert Publishers
-
-Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory.
-
-The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-517|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Cloneable Domain Controllers
-
-Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group).
-
-For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-522|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Cryptographic Operators
-
-Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode.
-
-The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-569|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-
-### Denied RODC Password Replication Group
-
-Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller.
-
-The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl).
-
-This security group includes the following changes since Windows Server 2008:
-
-- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-572|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|[Cert Publishers](#bkmk-certpublishers) [Domain Admins](#bkmk-domainadmins) [Domain Controllers](#bkmk-domaincontrollers) [Enterprise Admins](#bkmk-entadmins) Group Policy Creator Owners [Read-only Domain Controllers](#bkmk-rodc) [Schema Admins](#bkmk-schemaadmins)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### Device Owners
-This group is not currently used in Windows.
-
-Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group.
-
-The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-583|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege|
-
-### Distributed COM Users
-
-Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-562|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsUpdateProxy
-
-Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
-
-However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### DnsAdmins
-
-Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
-
-For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Domain Admins
-
-Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.
-
-The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
-
-The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-512|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins) [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-
-
-### Domain Computers
-
-This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group.
-
-The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-515|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|All computers joined to the domain, excluding domain controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes (but not required)|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Domain Controllers
-
-The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group.
-
-The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-516|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Computer accounts for all domain controllers of the domain|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Domain Guests
-
-The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer.
-
-The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-514|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Guest|
-|Default member of|[Guests](#bkmk-guests)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Can be moved out but it is not recommended|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Guests](#bkmk-guests)|
-
-### Domain Users
-
-The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group.
-
-By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer).
-
-The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-513|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator
-krbtgt|
-|Default member of|[Users](#bkmk-users)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Users](#bkmk-users)|
-
-### Enterprise Admins
-
-The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains.
-
-By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account.
-
-The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-519|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Administrators](#bkmk-admins)
-[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Administrators](#bkmk-admins) See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Enterprise Key Admins
-
-Members of this group can perform administrative actions on key objects within the forest.
-
-The Enterprise Key Admins group was introduced in Windows Server 2016.
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-527 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-### Enterprise Read-Only Domain Controllers
-
-Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
-
-Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it.
-
-For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)).
-
-The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-498|
-|Type|Universal|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Event Log Readers
-
-Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller.
-
-The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-573|
-|Type|Domain Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Group Policy Creator Owners
-
-This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
-
-For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)).
-
-The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-520|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|No|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Guests
-
-Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account.
-
-When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path:
-
-Computer Configuration\\Administrative Templates\\System\\User Profiles
-
-> [!NOTE]
-> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account.
-
-The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
-
-The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-546|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|[Domain Guests](#bkmk-domainguests)|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-
-### Hyper-V Administrators
-
-Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access.
-
-> [!NOTE]
-> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-578|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### IIS\_IUSRS
-
-IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS.
-
-For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-568|
-|Type|Builtin Local|
-|Default container|CN=BuiltIn, DC=<domain>, DC=|
-|Default members|IUSR|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?||
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Incoming Forest Trust Builders
-
-Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account.
-
-To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-
-For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)).
-
-The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-557|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Key Admins
-
-Members of this group can perform administrative actions on key objects within the domain.
-
-The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-21-<domain>-526 |
-| Type | Global |
-| Default container | CN=Users, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | Yes |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Network Configuration Operators
-
-Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features:
-
-- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers.
-
-- Rename the LAN connections or remote access connections that are available to all the users.
-
-- Enable or disable a LAN connection.
-
-- Modify the properties of all of remote access connections of users.
-
-- Delete all the remote access connections of users.
-
-- Rename all the remote access connections of users.
-
-- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands.
-
-- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-556|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Performance Log Users
-
-Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group:
-
-- Can use all the features that are available to the Performance Monitor Users group.
-
-- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right.
-
- > [!WARNING]
- > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
-
- > [!NOTE]
- > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group.
- > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied.
-
-- Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
-
-For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console.
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This account cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-559|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight|
-
-
-
-### Performance Monitor Users
-
-Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways.
-
-Specifically, members of this security group:
-
-- Can use all the features that are available to the Users group.
-
-- Can view real-time performance data in Performance Monitor.
-
- Can change the Performance Monitor display properties while viewing data.
-
-- Cannot create or modify Data Collector Sets.
-
- > [!WARNING]
- > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
-
-
-
-> [!NOTE]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
-
-
-
-The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-558|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-### Pre–Windows 2000 Compatible Access
-
-Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier.
-
-> [!WARNING]
-> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-
-The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-554|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-
-
-### Print Operators
-
-Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain.
-
-This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved.
-
-The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)).
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-550|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Protected Users
-
-Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes.
-
-This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group.
-
-This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer.
-
-Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows.
-
-- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group.
-
-- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite.
-
-- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group.
-
-- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again.
-
-The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)).
-
-The following table specifies the properties of the Protected Users group.
-
-|Attribute|Value|
-|--- |--- |
-|Well-known SID/RID|S-1-5-21-<domain>-525|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-service admins?|No|
-|Default user rights|None|
-
-### RAS and IAS Servers
-
-Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.
-
-The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-553|
-|Type|Builtin Local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### RDS Endpoint Servers
-
-Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
-
-For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-576|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-### RDS Management Servers
-
-Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-577|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### RDS Remote Access Servers
-
-Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group.
-
-For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-575|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Read-Only Domain Controllers
-
-This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
-
-Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
-
-- Read-only AD DS database
-
-- Unidirectional replication
-
-- Credential caching
-
-- Administrator role separation
-
-- Read-only Domain Name System (DNS)
-
-For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)).
-
-This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-521|
-|Type|Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Remote Desktop Users
-
-The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-555|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-
-
-
-### Remote Management Users
-
-Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
-
-The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
-
-For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi).
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-580|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Replicator
-
-Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites.
-
-> [!WARNING]
-> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers.
-
-However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
-
-- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2)
-- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11))
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-552|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-### Schema Admins
-
-Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode.
-
-The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema.
-
-The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
-
-For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)).
-
-The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<root domain>-518|
-|Type|Universal (if Domain is in Native-Mode) else Global|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|Administrator|
-|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|
-
-### Server Operators
-
-Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
-
-By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
-
-The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-549|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege|
-
-### Storage Replica Administrators
-
-Members of this group have complete and unrestricted access to all features of Storage Replica.
-
-The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-582 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | None |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### System Managed Accounts Group
-
-Members of this group are managed by the system.
-
-The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-
-| Attribute | Value |
-|-----------|-------|
-| Well-Known SID/RID | S-1-5-32-581 |
-| Type | Builtin Local |
-| Default container | CN=BuiltIn, DC=<domain>, DC= |
-| Default members | Users |
-| Default member of | None |
-| Protected by ADMINSDHOLDER? | No |
-| Safe to move out of default container? | Yes |
-| Safe to delegate management of this group to non-Service admins? | No |
-| Default User Rights | None |
-
-
-
-### Terminal Server License Servers
-
-Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)).
-
-The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-
-This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-561|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Safe to move out of default container?|Cannot be moved|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default User Rights|None|
-
-### Users
-
-Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
-
-Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved.
-
-The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-This security group includes the following changes since Windows Server 2008:
-
-- In Windows Server 2008 R2, INTERACTIVE was added to the default members list.
-
-- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-545|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Authenticated Users [Domain Users](#bkmk-domainusers) INTERACTIVE|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|No|
-|Default User Rights|None|
-
-### Windows Authorization Access Group
-
-Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
-
-The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-> [!NOTE]
-> This group cannot be renamed, deleted, or moved.
-
-
-This security group has not changed since Windows Server 2008.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-32-560|
-|Type|Builtin Local|
-|Default container|CN=Builtin, DC=<domain>, DC=|
-|Default members|Enterprise Domain Controllers|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Cannot be moved|
-|Safe to delegate management of this group to non-Service admins?|Yes|
-|Default user rights|None|
-
-### WinRMRemoteWMIUsers\_
-
-In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running.
-
-The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
-
-- If the file share is hosted on a server that is running a supported version of the operating system:
-
- - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012:
-
- - You must be a member of the BUILTIN\\Administrators group.
-
- - You must have Read permissions to the file share.
-
-In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions.
-
-> [!NOTE]
-> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
-
-
-
-This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>|
-|Type|Domain local|
-|Default container|CN=Users, DC=<domain>, DC=|
-|Default members|None|
-|Default member of|None|
-|Protected by ADMINSDHOLDER?|No|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-Service admins?||
-|Default User Rights|None|
-
-
-## See also
-
-- [Security Principals](security-principals.md)
-
-- [Special Identities](special-identities.md)
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
deleted file mode 100644
index b19feb4975..0000000000
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Dynamic Access Control Overview (Windows 10)
-description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Dynamic Access Control Overview
-
-**Applies to**
-- Windows Server 2016
-
-This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
-
-Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources.
-
-For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview).
-
-Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes.
-
-Features and concepts associated with Dynamic Access Control include:
-
-- [Central access rules](#bkmk-rules)
-
-- [Central access policies](#bkmk-policies)
-
-- [Claims](#bkmk-claims)
-
-- [Expressions](#bkmk-expressions2)
-
-- [Proposed permissions](#bkmk-permissions2)
-
-### Central access rules
-
-A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy.
-
-If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements.
-
-### Central access policies
-
-Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to:
-
-- Identify and mark the files that contain the PII.
-
-- Identify the group of HR members who are allowed to view the PII information.
-
-- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization.
-
-Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders.
-
-### Claims
-
-A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows:
-
-- **User claims** Active Directory attributes that are associated with a specific user.
-
-- **Device claims** Active Directory attributes that are associated with a specific computer object.
-
-- **Resource attributes** Global resource properties that are marked for use in authorization decisions and published in Active Directory.
-
-Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies.
-
-### Expressions
-
-Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC).
-
-Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments.
-
-### Proposed permissions
-
-Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
-
-Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes.
-
-## Additional changes
-
-
-Additional enhancements in the supported versions of Windows that support Dynamic Access Control include:
-
-### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups.
-
-By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control.
-
-### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain.
-
-Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**.
-
-### Support in Active Directory to store user and device claims, resource properties, and central access policy objects.
-
-### Support for using Group Policy to deploy central access policy objects.
-
-The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**.
-
-### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing
-
-You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network.
-
-### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts
-
-You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims:
-
-- **Value-based filtering** Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest.
-
-- **Claim type-based filtering** Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest.
-
-- **Claim type-based transformation** Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both.
-
-## Software requirements
-
-
-Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions:
-
-- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server.
-
-- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control.
-
-For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows:
-
-- **Always provide claims** Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher.
-
-- **Supported** When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control.
-
-If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests.
-
-If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level.
-
-A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server.
-
-## See also
-
-- [Access control overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
deleted file mode 100644
index 7d9575a8f4..0000000000
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-title: Microsoft Accounts (Windows 10)
-description: Microsoft Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer:
----
-
-# Microsoft Accounts
-
-**Applies to**
-- Windows 10
-
-This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
-
-Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
-
-When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
-
-## How a Microsoft account works
-
-The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials.
-
-When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed.
-
-**Important**
-Local Windows account functionality has not been removed, and it is still an option to use in managed environments.
-
-### How Microsoft accounts are created
-
-To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped.
-
-Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise.
-
-There are two methods for creating a Microsoft account:
-
-- **Use an existing email address**.
-
- Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords.
-
-- **Sign up for a Microsoft email address**.
-
- Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts.
-
-### How the Microsoft account information is safeguarded
-
-Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services.
-
-- **Strong password is required**.
-
- Blank passwords are not allowed.
-
- For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9).
-
-- **Secondary proof of identity is required**.
-
- Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings.
-
-- **All user profile data is encrypted on the client before it is transmitted to the cloud**.
-
- User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol.
-
-**Microsoft account security information is added**.
-
-Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date.
-
-## The Microsoft account in the enterprise
-
-
-Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages.
-
-- **Download Microsoft Store apps**:
-
- If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT.
-
-- **Single sign-on**:
-
- Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions.
-
-- **Personalized settings synchronization**:
-
- Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device.
-
-- **App synchronization**:
-
- Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed.
-
-- **Integrated social media services**:
-
- Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
-
-### Managing the Microsoft account in the domain
-
-Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise:
-
-- [Restrict the use of the Microsoft account](#bkmk-restrictuse)
-
-- [Configure connected accounts](#bkmk-cfgconnectedaccounts)
-
-- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts)
-
-- [Audit account activity](#bkmk-audit)
-
-- [Perform password resets](#bkmk-passwordresets)
-
-- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage)
-
-### Restrict the use of the Microsoft account
-
-The following Group Policy settings help control the use of Microsoft accounts in the enterprise:
-
-- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication)
-- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts)
-
-#### Block all consumer Microsoft account user authentication
-
-This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
-
-If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
-This applies both to existing users of a device and new users who may be added.
-
-However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
-It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
-
-If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
-By default, this setting is **Disabled**.
-
-This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
-
-The path to this setting is:
-
-Computer Configuration\Administrative Templates\Windows Components\Microsoft account
-
-#### Accounts: Block Microsoft accounts
-
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
-
-There are two options if this setting is enabled:
-
-- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
-- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
-
-This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).
-
-By default, this setting is **Not defined**.
-
-The path to this setting is:
-
-Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
-
-### Configure connected accounts
-
-Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices.
-
-Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**.
-
-**Note**
-Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account.
-
-### Provision Microsoft accounts in the enterprise
-
-Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts.
-
-### Audit account activity
-
-Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain.
-
-### Perform password resets
-
-Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com).
-
-### Restrict app installation and usage
-
-Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker).
-
-## See also
-
-- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11))
-
-- [Access Control Overview](access-control.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
deleted file mode 100644
index eebc241c56..0000000000
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ /dev/null
@@ -1,331 +0,0 @@
----
-title: Security identifiers (Windows 10)
-description: Security identifiers
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
----
-
-# Security identifiers
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016
-- Windows Server 2019
-
-This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
-
-## What are security identifiers?
-
-A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account.
-
-Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic.
-
-## How security identifiers work
-
-Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused.
-
-The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services.
-
-For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise.
-
-SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals.
-
-## Security identifier architecture
-
-A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
-
-
-The individual values of a SID are described in the following table.
-
-| Comment | Description |
-| - | - |
-| Revision | Indicates the version of the SID structure that is used in a particular SID. |
-| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). |
-| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. |
-
-The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation:
-```
-S-R-X-Y1-Y2-Yn-1-Yn
-```
-
-In this notation, the components of a SID are represented as shown in the following table.
-
-| Comment | Description |
-| - | - |
-| S | Indicates that the string is a SID |
-| R | Indicates the revision level |
-| X | Indicates the identifier authority value |
-| Y | Represents a series of subauthority values, where *n* is the number of values |
-
-The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier.
-
-The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier.
-
-For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string:
-
-```
-S-1-5-32-544
-```
-
-This SID has four components:
-
-- A revision level (1)
-
-- An identifier authority value (5, NT Authority)
-
-- A domain identifier (32, Builtin)
-
-- A relative identifier (544, Administrators)
-
-SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one.
-
-Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544.
-
-In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins):
-
-```
-S-1-5-21-1004336348-1177238915-682003330-512
-```
-
-The SID for Contoso\\Domain Admins has:
-
-- A revision level (1)
-
-- An identifier authority (5, NT Authority)
-
-- A domain identifier (21-1004336348-1177238915-682003330, Contoso)
-
-- A relative identifier (512, Domain Admins)
-
-The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512.
-
-## Relative identifier allocation
-
-When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again.
-
-In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
-
-The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master.
-
-Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier.
-
-## Security identifiers and globally unique identifiers
-
-When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property.
-
-Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life.
-
-If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes.
-
-When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access.
-
-If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others.
-
-However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID.
-
-## Well-known SIDs
-
-The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups.
-
-There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems.
-
-The following table lists the universal well-known SIDs.
-
-| Value | Universal Well-Known SID | Identifies |
-| - | - | - |
-| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.|
-| S-1-1-0 | World | A group that includes all users. |
-| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. |
-| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. |
-| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. |
-| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. |
-| S-1-3-2 | Creator Owner Server | |
-| S-1-3-3 | Creator Group Server | |
-| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. |
-| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. |
-| S-1-5 | NT Authority | A SID that represents an identifier authority. |
-| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
-
-The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
-
-| Identifier Authority | Value | SID String Prefix |
-| - | - | - |
-| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 |
-| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
-| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
-| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
-| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
-| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |
-
-The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
-
-| Relative Identifier Authority | Value | Identifier Authority |
-| - | - | - |
-| SECURITY_NULL_RID | 0 | S-1-0 |
-| SECURITY_WORLD_RID | 0 | S-1-1 |
-| SECURITY_LOCAL_RID | 0 | S-1-2 |
-| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 |
-| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 |
-
-The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs.
-
-| SID | Display Name | Description |
-| - | - | - |
-| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.|
-| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.|
-| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. |
-| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.|
-| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.|
-| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.|
-| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.|
-| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.|
-| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
Microsoft Lync 2016
Microsoft Excel 2016
Microsoft OneNote 2016
Microsoft Outlook 2016
Microsoft PowerPoint 2016
Microsoft Project 2016
Microsoft Publisher 2016
Microsoft SharePoint Designer 2013 (not updated for 2016)
Microsoft Visio 2016
Microsoft Word 2016
Microsoft Office Upload Manager
Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
| Microsoft Office 2013 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
Microsoft Excel 2013
Microsoft Outlook 2013
Microsoft Access 2013
Microsoft Project 2013
Microsoft PowerPoint 2013
Microsoft Publisher 2013
Microsoft Visio 2013
Microsoft InfoPath 2013
Microsoft Lync 2013
Microsoft OneNote 2013
Microsoft SharePoint Designer 2013
Microsoft Office 2013 Upload Center
Microsoft OneDrive for Business 2013
| Microsoft Office 2010 applications
[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
Microsoft Excel 2010
Microsoft Outlook 2010
Microsoft Access 2010
Microsoft Project 2010
Microsoft PowerPoint 2010
Microsoft Publisher 2010
Microsoft Visio 2010
Microsoft SharePoint Workspace 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft OneNote 2010
Microsoft SharePoint Designer 2010 |
-| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V does not roam settings for Internet Explorer cookies. |
+| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
**Note**
UE-V doesn't roam settings for Internet Explorer cookies. |
| Windows accessories | Microsoft NotePad, WordPad |
> [!NOTE]
> - An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
>
-> - UE-V does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems.
+> - UE-V doesn't synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems.
### Windows settings synchronized by default
@@ -106,10 +106,10 @@ UE-V includes settings location templates that capture settings values for these
|----------------------|-----------------|--------------|---------------|-------------------|
| Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled |
| Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled |
-| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled |
+| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, more clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled |
> [!IMPORTANT]
-> UE-V roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions.
+> UE-V roams taskbar settings between Windows 10 devices. However, UE-V doesn't synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions.
| Settings group | Category | Capture | Apply |
|--------------------------|----------------|----------------|--------------|
@@ -142,11 +142,11 @@ Printer roaming in UE-V requires one of these scenarios:
- The printer driver can be imported from Windows Update.
> [!NOTE]
-> The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided.
+> The UE-V printer roaming feature doesn't roam printer settings or preferences, such as printing double-sided.
### Determine whether you need settings synchronized for other applications
-After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you'll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
+After you've reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments.
@@ -167,14 +167,14 @@ If you've decided that you need to synchronize settings for custom applications,
|  | Does this application contain settings that the user can customize? |
|  | Is it important for the user that these settings are synchronized? |
|  | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
-|  | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
-|  | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
-|  | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.|
+|  | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations don't consistently synchronize across sessions and can cause a poor application experience. |
+|  | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually shouldn't synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
+|  | Does the application store any settings in a file that contains other application data that shouldn't synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this extra data can cause a poor application experience.|
|  | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
## Other considerations when preparing a UE-V deployment
-You should also consider these things when you are preparing to deploy UE-V:
+You should also consider these things when you're preparing to deploy UE-V:
- [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v)
@@ -192,19 +192,19 @@ You should also consider these things when you are preparing to deploy UE-V:
### Managing credentials synchronization in UE-V
-Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V.
+Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid reentering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V.
> [!IMPORTANT]
> Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization after you enable the UE-V service to implement this feature.
-UE-V can synchronize enterprise credentials, but does not roam credentials intended only for use on the local device.
+UE-V can synchronize enterprise credentials, but doesn't roam credentials intended only for use on the local device.
-Credentials are synchronous settings, meaning that they are applied to users' profiles the first time they log on to their devices after UE-V synchronizes.
+Credentials are synchronous settings, meaning that they're applied to users' profiles the first time they log on to their devices after UE-V synchronizes.
Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings.
> [!IMPORTANT]
-> If you are using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization.
+> If you're using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization.
[PowerShell](uev-administering-uev-with-windows-powershell-and-wmi.md)**:** Enter this PowerShell cmdlet to enable credential synchronization:
@@ -246,7 +246,7 @@ Credential files saved by applications into the following locations are synchron
- %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\
-Credentials saved to other locations are not synchronized by UE-V.
+Credentials saved to other locations aren't synchronized by UE-V.
### Windows applications settings synchronization
@@ -256,13 +256,13 @@ UE-V manages Windows application settings synchronization in three ways:
- **Windows applications list:** Synchronize a list of Windows applications
-- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that are not in the Windows applications list.
+- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that aren't in the Windows applications list.
For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist).
### Custom UE-V settings location templates
-If you are deploying UE-V to synchronize settings for custom applications, you'll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
+If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
@@ -282,7 +282,7 @@ UE-V downloads new user settings information from a settings storage location an
- When the Sync Controller Application scheduled task is run
-If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they are opened and closed with preferred settings.
+If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they're opened and closed with preferred settings.
This scenario also applies to Windows settings. If the Windows settings on computer B should be the same as the Windows settings on computer A, then the user should log on and log off computer A first.
@@ -304,17 +304,17 @@ The UE-V settings storage location and settings template catalog support storing
- Format the storage volume with an NTFS file system.
-- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
+- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
- [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles)
- [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment)
- In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication.
+ In addition, because SYSVOL uses DFSR for replication, SYSVOL can't be used for UE-V data file replication.
- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md).
-- Use file server clustering along with the UE-V service to provide access to copies of user state data in the event of communications failures.
+- Use file server clustering along with the UE-V service to provide access to copies of user state data if communications failures occur.
- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both.
@@ -335,7 +335,7 @@ Before you proceed, ensure that your environment meets these requirements for us
> [!NOTE]
> - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
>
-> - The "Delete Roaming Cache" policy for mandatory profiles is not supported with UE-V and should not be used.
+> - The “Delete Roaming Cache” policy for mandatory profiles isn't supported with UE-V and shouldn't be used.
There are no special random access memory (RAM) requirements specific to UE-V.
@@ -353,7 +353,7 @@ Sync Provider is the default setting for users and synchronizes a local cache wi
A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md).
-The UE-V service synchronizes user settings for devices that are not always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions).
+The UE-V service synchronizes user settings for devices that aren't always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions).
**Synchronization for computers with always-available connections** When you use UE-V on devices that are always connected to the network, you must configure the UE-V service to synchronize settings by using the *SyncMethod=None* parameter, which treats the settings storage server as a standard network share. In this configuration, the UE-V service can be configured to notify if the import of the application settings is delayed.
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 1e4ef75b50..af75531621 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -21,8 +21,8 @@ Operating system images are typically the production image used for deployment t
## Infrastructure
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
@@ -46,7 +46,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**.
6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
-8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 4dad48dc9d..1d57288f6f 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -17,10 +17,10 @@ ms.custom: seo-marvel-apr2020
- Windows 10
-In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
@@ -29,9 +29,9 @@ For the purposes of this guide, we will use one server computer: CM01.
This section will show you how to import some network and storage drivers for Windows PE.
>[!NOTE]
->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
+>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
-This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
+This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
@@ -58,7 +58,7 @@ On **CM01**:
This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement).
-For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
+For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
@@ -81,9 +81,9 @@ On **CM01**:
* Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
>[!NOTE]
- >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify.
+ >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify.
-5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**.
+5. On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**.
>[!NOTE]
>If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index e925ac8f45..fb7aae6b8e 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -20,16 +20,16 @@ ms.custom: seo-marvel-apr2020
In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
- The boot image that is created is based on the version of ADK that is installed.
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Add DaRT 10 files and prepare to brand the boot image
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
-We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
+We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp.
On **CM01**:
@@ -42,7 +42,7 @@ On **CM01**:
## Create a boot image for Configuration Manager using the MDT wizard
-By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
+By using the MDT wizard to create the boot image in Configuration Manager, you gain more options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard.
On **CM01**:
@@ -65,7 +65,7 @@ On **CM01**:
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
+9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 260b79eadd..f846694f35 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -16,10 +16,10 @@ ms.topic: article
- Windows 10
-In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
+In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
@@ -93,9 +93,9 @@ On **CM01**:
Add an application to the Configuration Manager task sequence
>[!NOTE]
- >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release.
+ >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release.
-9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings:
+9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings:
* Request state storage location to: Restore state from another computer
* If computer account fails to connect to state store, use the Network Access account: selected
* Options: Continue on error
@@ -103,7 +103,7 @@ On **CM01**:
* Task Sequence Variable
* USMTLOCAL not equals True
-10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings:
+10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings:
* Options: Continue on error
* Options / Condition:
* Task Sequence Variable
@@ -113,14 +113,14 @@ On **CM01**:
## Organize your packages (optional)
-If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages.
+If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages.
To create a folder for packages:
On **CM01**:
1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure.
+2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure.
3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index caae9de1b6..102b3ae2d6 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,7 @@
---
title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process.
+description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process.
+ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
ms.reviewer:
manager: dougeby
ms.author: aaroncz
@@ -19,8 +20,8 @@ ms.topic: article
Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use.
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
>[!NOTE]
>The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
@@ -29,9 +30,9 @@ For the purposes of this guide, we will use one server computer: CM01.
On **CM01**:
-1. Create the **D:\Setup** folder if it does not already exist.
+1. Create the **D:\Setup** folder if it doesn't already exist.
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
-2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example:
+2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example:
```powershell
Set-Location C:\Users\administrator.CONTOSO\Downloads
@@ -64,7 +65,7 @@ On **CM01**:
Add the "OSD Install" suffix to the application name
-11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties).
+11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties).
12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md).
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 55d9928a01..253e63190e 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,6 +1,7 @@
---
title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences.
+description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences.
+ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
manager: dougeby
ms.author: aaroncz
ms.prod: w10
@@ -16,9 +17,9 @@ ms.collection: highpri
- Windows 10
-In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
-This topic assumes that you have completed the following prerequisite procedures:
+This topic assumes that you've completed the following prerequisite procedures:
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
- [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
@@ -27,10 +28,10 @@ This topic assumes that you have completed the following prerequisite procedures
- [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
- [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
+For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
- - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
+ - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
- PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
>[!NOTE]
@@ -38,7 +39,7 @@ For the purposes of this guide, we will use a minimum of two server computers (D
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
>[!NOTE]
>No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
@@ -50,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
5. The operating system deployment will take several minutes to complete.
-6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following:
+6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps:
* Install the Windows 10 operating system.
* Install the Configuration Manager client and the client hotfix.
@@ -64,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet.
Monitoring the deployment with MDT.
-7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus.
+7. When the deployment is finished you'll have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus.
Examples are provided below of various stages of deployment:
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 15ccee4085..3984e65a9b 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -19,8 +19,8 @@ ms.custom: seo-marvel-apr2020
This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
-For the purposes of this guide, we will use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+For the purposes of this guide, we'll use one server computer: CM01.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
@@ -45,11 +45,11 @@ On **CM01**:
## Configure the Logs folder
-The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
+The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we'll add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence.
On **CM01**:
-1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt:
+1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt:
```
icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
@@ -82,17 +82,17 @@ On **CM01**:
3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box.
>[!NOTE]
- >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
+ >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
## Distribute content to the CM01 distribution portal
-In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
+In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that haven't yet been distributed to the CM01 distribution point.
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
-3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
+3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully.
@@ -100,7 +100,7 @@ On **CM01**:
## Create a deployment for the task sequence
-This sections provides steps to help you create a deployment for the task sequence.
+This section provides steps to help you create a deployment for the task sequence.
On **CM01**:
@@ -126,7 +126,7 @@ On **CM01**:
## Configure Configuration Manager to prompt for the computer name during deployment (optional)
-You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
+You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more information on how to do this step, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names.
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 840f69546c..785a68cc3d 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -20,7 +20,7 @@ This article walks you through the Zero Touch Installation (ZTI) process of Wind
## Prerequisites
-In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
+In this topic, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
- Configuration Manager current branch + all security and critical updates are installed.
@@ -32,19 +32,18 @@ In this article, you'll use [components](#components-of-configuration-manager-op
- The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
-- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
-
- > [!NOTE]
- > CMTrace is automatically installed with the current branch of Configuration Manager.
+- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+ > [!NOTE]
+ > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr, it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this separate installation is no longer needed. Configuration Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01.
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
### Domain credentials
@@ -57,13 +56,13 @@ The following generic credentials are used in this guide. You should replace the
## Create the OU structure
>[!NOTE]
->If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
+>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
On **DC01**:
To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
-To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension.
+To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Ensure that you're viewing file extensions and that you save the file with the .ps1 extension.
```powershell
$oulist = Import-csv -Path c:\oulist.txt
@@ -123,11 +122,11 @@ On **DC01**:
## Configure Active Directory permissions
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01.
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
On **DC01**:
-1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
+1. Sign in as contoso\administrator and enter the following commands at an elevated Windows PowerShell prompt:
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
@@ -135,7 +134,7 @@ On **DC01**:
.\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted:
+2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted:
* Scope: This object and all descendant objects
* Create Computer objects
@@ -174,7 +173,7 @@ To support the packages you create in this article, the following folder structu
You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
->We will also create the D:\Logs folder here which will be used later to support server-side logging.
+>We'll also create the D:\Logs folder here which will be used later to support server-side logging.
```powershell
New-Item -ItemType Directory -Path "D:\Sources"
@@ -196,7 +195,7 @@ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE
## Integrate Configuration Manager with MDT
-To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings.
+To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you've already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings.
On **CM01**:
@@ -264,7 +263,7 @@ On **CM01**:
Configure the CM01 distribution point for PXE.
>[!NOTE]
- >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+ >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
@@ -272,7 +271,7 @@ On **CM01**:
The distmgr.log displays a successful configuration of PXE on the distribution point.
-5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
+5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
@@ -284,18 +283,17 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre
## Components of Configuration Manager operating system deployment
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
-- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image.
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
-- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager.
-
+- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager.
> [!NOTE]
> The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
@@ -303,12 +301,17 @@ Operating system deployment with Configuration Manager is part of the normal sof
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
+>[!NOTE]
+>MDT installation requires the following:
+>- The Windows ADK for Windows 10 (installed in the previous procedure)
+>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+>- Microsoft .NET Framework
+
### MDT enables dynamic deployment
-When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used.
+When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
-
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
``` syntax
@@ -349,7 +352,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script
### MDT adds real-time monitoring
-With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
+With MDT integration, you can follow your deployments in real time, and if you've access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
@@ -370,25 +373,18 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op
You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
-- Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
- The Configuration Manager task sequence doesn't suppress user interface interaction.
- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
- MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
-## Related articles
-
-[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-
-[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-
-[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-
-[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-
-[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
-
-[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+## Related topics
+[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
+[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
+[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 117dedd018..41822baf59 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
- Windows 10
-This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
@@ -31,8 +31,8 @@ A computer refresh with Configuration Manager works the same as it does with MDT
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
-For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003).
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
>[!NOTE]
@@ -40,7 +40,7 @@ For the purposes of this article, we will use one server computer (CM01) and one
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
>[!IMPORTANT]
>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
@@ -76,7 +76,7 @@ On **CM01**:
Use the default settings to complete the remaining wizard pages and click **Close**.
-2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection.
+2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection.
>[!NOTE]
>It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
@@ -94,7 +94,7 @@ Using the Configuration Manager console, in the Software Library workspace, expa
- Make available to the following: Configuration Manager clients, media and PXE
>[!NOTE]
- >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+ >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
- Scheduling
- <default>
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 242bcd70ee..4d0bcca63b 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,7 @@
---
title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
ms.reviewer:
manager: dougeby
ms.author: aaroncz
@@ -17,16 +18,16 @@ ms.custom: seo-marvel-apr2020
- Windows 10
-In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
-In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
## Infrastructure
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
-For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006).
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
@@ -36,7 +37,7 @@ For the purposes of this article, we will use one server computer (CM01) and two
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
>[!IMPORTANT]
>This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
@@ -70,15 +71,15 @@ The backup-only task sequence (named Replace Task Sequence).
## Associate the new device with the old computer
-This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
+This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine.
On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
-1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet.
+1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet.
On **CM01**:
-2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
+2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
3. On the **Select Source** page, select **Import single computer** and click **Next**.
4. On the **Single Computer** page, use the following settings and then click **Next**:
@@ -95,14 +96,14 @@ On **CM01**:
7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**.
8. On the **Summary** page, click **Next**, and then click **Close**.
9. Select the **User State Migration** node and review the computer association in the right hand pane.
-10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not.
-11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
+10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't.
+11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
## Create a device collection and add the PC0004 computer
On **CM01**:
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
* General
* Name: USMT Backup (Replace)
@@ -117,7 +118,7 @@ On **CM01**:
Use default settings for the remaining wizard pages, then click **Close**.
-2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection.
+2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection.
## Create a new deployment
@@ -145,7 +146,7 @@ This section assumes that you have a computer named PC0004 with the Configuratio
On **PC0004**:
-1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
+1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
>[!NOTE]
@@ -161,8 +162,8 @@ Capturing the user state
On **CM01**:
-6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup.
-7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location.
+6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup.
+7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location.
>[!NOTE]
>It may take a few minutes for the user state store location to be populated.
@@ -176,7 +177,7 @@ On **PC0006**:
* Password: pass@word1
* Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
-2. The setup now starts and does the following:
+2. The setup now starts and does the following steps:
* Installs the Windows 10 operating system
* Installs the Configuration Manager client
@@ -184,7 +185,7 @@ On **PC0006**:
* Installs the applications
* Restores the PC0004 backup
-When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
+When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
index dd7097e837..5d6a936a26 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -27,28 +27,28 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi
An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
-For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004).
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
+For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004).
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
## Add an OS upgrade package
-Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
+Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it doesn't use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
On **CM01**:
1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**.
-2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
-3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**.
+2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
+3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**.
4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**.
5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
-8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
## Create an in-place upgrade task sequence
@@ -77,7 +77,7 @@ After you create the upgrade task sequence, you can create a collection to test
On **CM01**:
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
- General
- Name: Windows 10 x64 in-place upgrade
- Limited Collection: All Systems
@@ -89,7 +89,7 @@ On **CM01**:
- Select Resources
- Select PC0004
-2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection.
+2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection.
## Deploy the Windows 10 upgrade
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 3300697ddc..ccf4df0e57 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -1,6 +1,7 @@
---
title: Build a distributed environment for Windows 10 deployment (Windows 10)
-description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
+description: In this topic, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
+ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
ms.reviewer:
manager: dougeby
ms.author: aaroncz
@@ -17,9 +18,9 @@ ms.topic: article
Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
-Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we will deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
+Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
-For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@@ -29,7 +30,7 @@ Computers used in this topic.
## Replicate deployment shares
-Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
+Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content.
> [!NOTE]
> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
@@ -40,7 +41,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes
### Why DFS-R is a better option
-DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
## Set up Distributed File System Replication (DFS-R) for replication
@@ -113,7 +114,7 @@ When you have multiple deployment servers sharing the same content, you need to
On **MDT01**:
-1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use.
+1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
```ini
[Settings]
@@ -152,7 +153,7 @@ On **MDT01**:
## Replicate the content
- Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication.
+ Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
### Create the replication group
@@ -247,7 +248,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
2. Computer Name: PC0006
3. Applications: Select the Install - Adobe Reader
-4. Setup will now start and perform the following:
+4. Setup will now start and perform the following steps:
1. Install the Windows 10 Enterprise operating system.
2. Install applications.
3. Update the operating system using your local Windows Server Update Services (WSUS) server.
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index 078bb06ca8..fe96dcd42b 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -12,7 +12,7 @@ ms.topic: article
# Configure MDT deployment share rules
-In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
+In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
## Assign settings
@@ -29,7 +29,7 @@ Before adding the more advanced components like scripts, databases, and web serv
### Set computer name by MAC Address
-If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead.
+If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead.
```
[Settings]
@@ -90,7 +90,7 @@ In the preceding sample, you still configure the rules to set the computer name
### Add laptops to a different organizational unit (OU) in Active Directory
-In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read.
+In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read.
```
[Settings]
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index c4bbe93743..8c0ba8179d 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -1,6 +1,7 @@
---
title: Configure MDT settings (Windows 10)
-description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization.
+description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization.
+ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
ms.reviewer:
manager: dougeby
ms.author: aaroncz
@@ -12,8 +13,8 @@ ms.topic: article
# Configure MDT settings
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
+For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index e9d1c48603..1f482f177d 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -15,12 +15,12 @@ ms.topic: article
**Applies to**
- Windows 10
-Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
+Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution.
>[!NOTE]
->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide.
+>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01.
+For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01.
- DC01 is a domain controller for the contoso.com domain.
- MDT01 is a contoso.com domain member server.
- HV01 is a Hyper-V server that will be used to build the reference image.
@@ -31,22 +31,22 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV
## The reference image
-The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following:
+The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are:
- To reduce development time and can use snapshots to test different configurations quickly.
-- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related.
-- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
+- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related.
+- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
- The image is easy to move between lab, test, and production.
## Set up the MDT build lab deployment share
-With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
### Create the MDT build lab deployment share
On **MDT01**:
- Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
-- Start the MDT deployment workbench, and pin this to the taskbar for easy access.
+- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
- Use the following settings for the New Deployment Share Wizard:
- Deployment share path: **D:\\MDTBuildLab**
@@ -70,7 +70,7 @@ In order to read files in the deployment share and write the reference image bac
On **MDT01**:
-1. Ensure you are signed in as **contoso\\administrator**.
+1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
``` powershell
@@ -84,7 +84,7 @@ This section will show you how to populate the MDT deployment share with the Win
### Add the Windows 10 installation files
-MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
+MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
>[!NOTE]
>Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
@@ -129,9 +129,9 @@ The steps in this section use a strict naming standard for your MDT applications
Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
-By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments.
+By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments.
-In example sections, you will add the following applications:
+In example sections, you 'll add the following applications:
- Install - Microsoft Office 365 Pro Plus - x64
- Install - Microsoft Visual C++ Redistributable 2019 - x86
@@ -146,7 +146,7 @@ Download links:
Download all three items in this list to the D:\\Downloads folder on MDT01.
-**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
+**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
>[!NOTE]
>All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
@@ -157,7 +157,9 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
For example, you can use the following configuration.xml file, which provides these configuration settings:
- - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition.
+ - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet.
+ > [!NOTE]
+ > 64-bit is now the default and recommended edition.
- Use the General Availability Channel and get updates directly from the Office CDN on the internet.
- Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
@@ -173,27 +175,27 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
```
- By using these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
+ When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
- Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information.
+ For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool).
3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
- Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet.
+ Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
>[!IMPORTANT]
- >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
+ >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
Additional information
-- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
+- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
-- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
- - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
+- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
+ - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
### Connect to the deployment share using Windows PowerShell
@@ -201,7 +203,7 @@ If you need to add many applications, you can take advantage of the PowerShell s
On **MDT01**:
-1. Ensure you are signed in as **contoso\\Administrator**.
+1. Ensure you're signed in as **contoso\\Administrator**.
2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
``` powershell
@@ -213,11 +215,11 @@ On **MDT01**:
### Create the install: Microsoft Office 365 Pro Plus - x64
-In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365.
+In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365.
On **MDT01**:
-1. Ensure you are signed on as **contoso\\Administrator**.
+1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
@@ -227,7 +229,7 @@ On **MDT01**:
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
- Upon successful installation the following text is displayed:
+ Upon successful installation, the following text is displayed:
```
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
@@ -246,11 +248,11 @@ On **MDT01**:
>[!NOTE]
>We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
-In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
+In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
On **MDT01**:
-1. Ensure you are signed on as **contoso\\Administrator**.
+1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
@@ -260,7 +262,7 @@ On **MDT01**:
Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose
```
- Upon successful installation the following text is displayed:
+ Upon successful installation, the following text is displayed:
```
VERBOSE: Performing the operation "import" on target "Application".
VERBOSE: Beginning application import
@@ -275,11 +277,11 @@ On **MDT01**:
### Create the install: Microsoft Visual C++ Redistributable 2019 - x64
-In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
+In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
On **MDT01**:
-1. Ensure you are signed on as **contoso\\Administrator**.
+1. Ensure you're signed on as **contoso\\Administrator**.
2. Create the application by running the following commands in an elevated PowerShell prompt:
``` powershell
@@ -291,8 +293,8 @@ On **MDT01**:
## Create the reference image task sequence
-In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
-After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying.
+In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
+After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying.
### Drivers and the reference image
@@ -304,18 +306,18 @@ To create a Windows 10 reference image task sequence, the process is as follows
On **MDT01**:
-1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
+1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
1. Task sequence ID: REFW10X64-001
2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
3. Task sequence comments: Reference Build
4. Template: Standard Client Task Sequence
5. Select OS: Windows 10 Enterprise x64 RTM Default Image
- 6. Specify Product Key: Do not specify a product key at this time
+ 6. Specify Product Key: Don't specify a product key at this time
7. Full Name: Contoso
8. Organization: Contoso
9. Internet Explorer home page: http://www.contoso.com
- 10. Admin Password: Do not specify an Administrator Password at this time
+ 10. Admin Password: Don't specify an Administrator Password at this time
### Edit the Windows 10 task sequence
@@ -338,7 +340,7 @@ On **MDT01**:
3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
>[!IMPORTANT]
- >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
+ >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
@@ -355,7 +357,7 @@ On **MDT01**:
### Optional configuration: Add a suspend action
-The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
+The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
@@ -367,20 +369,20 @@ The goal when creating a reference image is of course to automate everything. Bu
### Edit the Unattend.xml file for Windows 10 Enterprise
-When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK).
+When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK).
>[!WARNING]
->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
+>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
>[!NOTE]
->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing.
+>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
On **MDT01**:
-1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
-2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
+1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
+2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
> [!IMPORTANT]
> The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
@@ -393,7 +395,8 @@ On **MDT01**:
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
- DisableDevTools: true
5. Save the Unattend.xml file, and close Windows SIM.
- - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
+ > [!NOTE]
+ > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
@@ -413,7 +416,7 @@ To configure the rules for the MDT Build Lab deployment share:
On **MDT01**:
1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
-2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
+2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
```
[Settings]
@@ -469,7 +472,7 @@ On **MDT01**:
```
>[!NOTE]
- >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
+ >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
@@ -486,7 +489,7 @@ On **MDT01**:
### Update the deployment share
-After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created.
+After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created.
1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
2. Use the default options for the Update Deployment Share Wizard.
@@ -496,9 +499,9 @@ After the deployment share has been configured, it needs to be updated. This is
### The rules explained
-Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files.
+Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files.
-The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini.
+The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini.
The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
@@ -521,14 +524,14 @@ SkipBDDWelcome=YES
```
So, what are these settings?
-- **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
-- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
-- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you.
+- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
+- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
+- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
>[!WARNING]
>Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
-- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
+- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
>[!NOTE]
>All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
@@ -569,20 +572,20 @@ SkipRoles=YES
SkipCapture=NO
SkipFinalSummary=YES
```
-- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
+- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
-- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image.
+- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
-- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed.
+- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
- **AdminPassword.** Sets the local Administrator account password.
- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
**Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
- **JoinWorkgroup.** Configures Windows to join a workgroup.
-- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
+- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
-- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image.
+- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
@@ -602,9 +605,9 @@ SkipFinalSummary=YES
## Build the Windows 10 reference image
-As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information.
+As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements).
-Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process.
+Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process.
The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image.
@@ -628,7 +631,7 @@ On **HV01**:
4. Start the REFW10X64-001 virtual machine and connect to it.
- **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
+ **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
@@ -640,7 +643,7 @@ On **HV01**:
The Windows Deployment Wizard for the Windows 10 reference image.
-5. The setup now starts and does the following:
+5. The setup now starts and does the following steps:
1. Installs the Windows 10 Enterprise operating system.
2. Installs the added applications, roles, and features.
3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
@@ -649,7 +652,7 @@ On **HV01**:
6. Captures the installation to a Windows Imaging (WIM) file.
7. Turns off the virtual machine.
-After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
@@ -662,9 +665,9 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t
-If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
+If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
-After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
## Related topics
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 25eddbf4ef..90deeb5238 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -15,16 +15,16 @@ ms.topic: article
**Applies to**
- Windows 10
-This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
+This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
-We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
+We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
-For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005.
+For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005.
- DC01 is a domain controller
- MDT01 is a domain member server
- HV01 is a Hyper-V server
-- PC0005 is a blank device to which we will deploy Windows 10
+- PC0005 is a blank device to which we'll deploy Windows 10
MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
@@ -35,7 +35,7 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos
## Step 1: Configure Active Directory permissions
-These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
On **DC01**:
@@ -55,7 +55,7 @@ On **DC01**:
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
- The following is a list of the permissions being granted:
+ The following list is of the permissions being granted:
- Scope: This object and all descendant objects
- Create Computer objects
@@ -72,7 +72,7 @@ On **DC01**:
## Step 2: Set up the MDT production deployment share
-Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
+Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server.
### Create the MDT production deployment share
@@ -80,7 +80,7 @@ On **MDT01**:
The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
-1. Ensure you are signed on as: contoso\administrator.
+1. Ensure you're signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
@@ -97,7 +97,7 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio
On **MDT01**:
-1. Ensure you are signed in as **contoso\\administrator**.
+1. Ensure you're signed in as **contoso\\administrator**.
2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
``` powershell
@@ -107,11 +107,11 @@ On **MDT01**:
## Step 3: Add a custom image
-The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components.
+The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components.
### Add the Windows 10 Enterprise x64 RTM custom image
-In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
+In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
@@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
@@ -175,12 +175,12 @@ For boot images, you need to have storage and network drivers; for the operating
### Create the driver source structure in the file system
-The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
+The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
On **MDT01**:
> [!IMPORTANT]
-> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
+> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
1. Using File Explorer, create the **D:\\drivers** folder.
2. In the **D:\\drivers** folder, create the following folder structure:
@@ -198,11 +198,11 @@ On **MDT01**:
- Surface Laptop
> [!NOTE]
-> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
+> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
### Create the logical driver structure in MDT
-When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench.
+When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench.
1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
2. In the **Out-Of-Box Drivers** node, create the following folder structure:
1. WinPE x86
@@ -260,7 +260,7 @@ On **MDT01**:
### Extract and import drivers for the x64 boot image
-Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
+Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image.
On **MDT01**:
@@ -282,7 +282,7 @@ For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retrieve
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
-In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
+In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory.
On **MDT01**:
@@ -292,13 +292,13 @@ On **MDT01**:
**D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
- The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
+ The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
### For the Latitude E7450
For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder.
+In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder.
On **MDT01**:
@@ -312,7 +312,7 @@ On **MDT01**:
For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html).
-In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
+In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.
On **MDT01**:
@@ -324,7 +324,7 @@ On **MDT01**:
### For the Microsoft Surface Laptop
-For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
+For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder.
On **MDT01**:
@@ -336,7 +336,7 @@ On **MDT01**:
## Step 6: Create the deployment task sequence
-This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
+This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server.
### Create a task sequence for Windows 10 Enterprise
@@ -350,11 +350,11 @@ On **MDT01**:
- Task sequence comments: Production Image
- Template: Standard Client Task Sequence
- Select OS: Windows 10 Enterprise x64 RTM Custom Image
- - Specify Product Key: Do not specify a product key at this time
+ - Specify Product Key: Don't specify a product key at this time
- Full Name: Contoso
- Organization: Contoso
- Internet Explorer home page: `https://www.contoso.com`
- - Admin Password: Do not specify an Administrator Password at this time
+ - Admin Password: Don't specify an Administrator Password at this time
### Edit the Windows 10 task sequence
@@ -372,7 +372,7 @@ On **MDT01**:
- Install all drivers from the selection profile
> [!NOTE]
- > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+ > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
@@ -386,7 +386,7 @@ On **MDT01**:
## Step 7: Configure the MDT production deployment share
-In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work.
+In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work.
### Configure the rules
@@ -460,7 +460,7 @@ On **MDT01**:
> [!NOTE]
>
- > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
@@ -488,13 +488,13 @@ On **MDT01**:
### The rules explained
-The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
+The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
-You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
-This is the MDT Production Bootstrap.ini:
+This file is the MDT Production Bootstrap.ini:
```
[Settings]
@@ -510,7 +510,7 @@ SkipBDDWelcome=YES
### The CustomSettings.ini file
-This is the CustomSettings.ini file with the new join domain information:
+This file is the CustomSettings.ini file with the new join domain information:
```
[Settings]
@@ -557,7 +557,7 @@ Some properties to use in the MDT Production rules file are as follows:
- **DomainAdminPassword.** The password for the join domain account.
- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account.
- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command.
-- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
+- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore).
- **EventService.** Activates logging information to the MDT monitoring web service.
> [!NOTE]
@@ -568,11 +568,11 @@ Some properties to use in the MDT Production rules file are as follows:
### Optional deployment share configuration
-If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
+If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself.
### Add DaRT 10 to the boot images
-If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
+If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps:
> [!NOTE]
@@ -608,7 +608,7 @@ On **MDT01**:
### Update the deployment share
-Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
+Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created.
1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
@@ -639,7 +639,7 @@ On **MDT01**:
### Deploy the Windows 10 client
-At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
+At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
On **HV01**:
@@ -665,7 +665,7 @@ On **HV01**:
- Computer Name: **PC0005**
- Applications: Select the **Install - Adobe Reader** checkbox.
-4. Setup now begins and does the following:
+4. Setup now begins and does the following steps:
- Installs the Windows 10 Enterprise operating system.
- Installs the added application.
@@ -681,7 +681,7 @@ Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed auto
### Use the MDT monitoring feature
-Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
+Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node.
On **MDT01**:
@@ -705,12 +705,11 @@ The Event Viewer showing a successful deployment of PC0005.
## Multicast deployments
-Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast.
+Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast.
### Requirements
-Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that
-Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
+Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3.
### Set up MDT for multicast
@@ -729,9 +728,9 @@ On **MDT01**:
## Use offline media to deploy Windows 10
-In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
+In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
-Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
+Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
### Create the offline media selection profile
@@ -762,7 +761,7 @@ In these steps, you generate offline media from the MDT Production deployment sh
1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
>[!NOTE]
- >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
+ >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
@@ -798,7 +797,7 @@ On **MDT01**:
### Generate the offline media
-You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
+You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO.
On **MDT01**:
@@ -808,7 +807,7 @@ On **MDT01**:
### Create a bootable USB stick
-The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
+The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
>[!TIP]
>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
-| First | 1% | The First ring is the first group of production users to receive a change.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
+| First | **1%** | The First ring is the first group of production users to receive a change.
Group Policy Creator Owners, and Schema Admins in Active Directory
Domain Users group|
-|Protected by ADMINSDHOLDER?|Yes|
-|Safe to move out of default container?|Yes|
-|Safe to delegate management of this group to non-service administrators?|No|
-
-## Guest account
-
-
-The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password.
-
-The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain.
-
-**Account group membership**
-
-The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain.
-
-A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers.
-
-**Security considerations**
-
-Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time.
-
-When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access:
-
-- Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer.
-
-- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
-
-- Do not use the Guest account when the server has external network access or access to other computers.
-
-If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution.
-
-In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed.
-
-For details about the Guest account attributes, see the following table.
-
-**Guest account attributes**
-
-|Attribute|Value|
-|--- |--- |
-|Well-Known SID/RID|S-1-5-`
This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).|
-|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.|
-|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.
When this attribute is applied on the account, the effect is as follows:
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.|
-| S-1-5-8| Proxy| Does not currently apply: this SID is not used.|
-| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.|
-| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.|
-| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
This group includes authenticated security principals from any trusted domain, not only the current domain.|
-| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.|
-| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
-| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
-| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
-| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
-| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
-| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
-| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.|
-| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.|
-| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.|
-| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.|
-| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.|
-| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.|
-| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.|
-| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.|
-| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
Cert Publishers are authorized to publish certificates for User objects in Active Directory.|
-| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.|
-| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. |
-| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
-| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
-| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
-| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
-| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
-| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
-| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|
-| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.|
-| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.|
-| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.|
-| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.|
-|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.|
-|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.|
-|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.|
-|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.|
-|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.|
-|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.|
-|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
-|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
-|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
-|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
-|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
-|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
-|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
-|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.|
-|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.|
-|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.|
-|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.|
-|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.|
-|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.|
-| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client|
-| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.|
-| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.|
-| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
-| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
-| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
-
-The following RIDs are relative to each domain.
-
-| RID |Decimal value| Identifies |
-| - | - | - |
-| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. |
-| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.|
-| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.|
-| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.|
-| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.|
-| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.|
-| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.|
-| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.|
-| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.|
-
-The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups.
-
-| RID | Decimal value | Identifies |
-| - | - | - |
-| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.|
-| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.|
-| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.|
-| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.|
-| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.|
-| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.|
-| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.|
-
-## Changes in security identifier's functionality
-
-The following table describes changes in SID implementation in the Windows operating systems that are designated in the list.
-
-| Change | Operating system version | Description and resources |
-| - | - | - |
-| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. |
-| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. |
-
-## Capability SIDs
-
-Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource.
-
-All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
-
-## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
-
-You may see the following registry keys under AllCachedCapabilities:
-
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
-
-All Capability SIDs are prefixed by S-1-15-3
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
deleted file mode 100644
index 3120899040..0000000000
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Security Principals (Windows 10)
-description: Security Principals
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 04/19/2017
-ms.reviewer:
----
-
-# Security Principals
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals.
-
-## What are security principals?
-
-
-Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID).
-
-The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic.
-
-## How security principals work
-
-
-Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer.
-
-### Authorization and access control components
-
-The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor.
-
-**Authorization and access control process**
-
-
-
-Security principals are closely related to the following components and technologies:
-
-- [Security identifiers](#bkmk-sids)
-
-- [Access tokens](#bkmk-accesstokens)
-
-- [Security descriptors and access control lists](#bkmk-sdandacls)
-
-- [Permissions](#bkmk-permissions)
-
-### Security identifiers
-
-Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment.
-
-A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group.
-
-Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer.
-
-In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems.
-
-### Access tokens
-
-An access token is a protected object that contains information about the identity and user rights that are associated with a user account.
-
-When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups.
-
-After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization.
-
-There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread.
-
-### Security descriptors and access control lists
-
-A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs:
-
-- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access
-
-- A system access control list (SACL), which controls how access is audited
-
-You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined.
-
-### Permissions
-
-Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control.
-
-Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
-
-On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers.
-
-For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
-
-### Security context in authentication
-
-A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain.
-
-In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in.
-
-To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal.
-
-This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource.
-
-The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain.
-
-## Accounts and security groups
-
-
-Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources.
-
-Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer.
-
-### User accounts
-
-A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to:
-
-- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain.
-
-- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource.
-
-- Audit the actions that are carried out on a user account.
-
-Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization.
-
-### Security groups
-
-A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization.
-
-Groups can be Active Directory-based or local to a particular computer:
-
-- Active Directory security groups are used to manage rights and permissions to domain resources.
-
-- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer.
-
-By using security groups to manage access control, you can:
-
-- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier.
-
-- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal.
-
-- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable.
-
-For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md).
-
-## See also
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
deleted file mode 100644
index cd6db0f4f7..0000000000
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Service Accounts (Windows 10)
-description: Service Accounts
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection:
- - M365-identity-device-management
- - highpri
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 11/19/2021
----
-
-# Service Accounts
-
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts.
-
-## Overview
-
-A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell.
-
-This topic contains information about the following types of service accounts:
-
-- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts)
-
-- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts)
-
-- [Virtual accounts](#bkmk-virtualserviceaccounts)
-
-### Standalone managed service accounts
-
-A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts.
-
-To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
-
-In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:
-
-- You can create a class of domain accounts that can be used to manage and maintain services on local computers.
-
-- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset.
-
-- You do not have to complete complex SPN management tasks to use managed service accounts.
-- You don't have to complete complex SPN management tasks to use managed service accounts.
-- Administrative tasks for managed service accounts can be delegated to non-administrators.
-
-### Software requirements
-
-Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-### Group-managed service accounts
-
-Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators.
-
-The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password.
-
-The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account.
-
-### Practical applications
-
-Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system.
-
-By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
-
-Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts.
-
-### Software requirements
-
-Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements.
-
-A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts.
-
-A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
-
-**Note**
-Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)).
-
-Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
-
-### Virtual accounts
-
-Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration:
-
-- The virtual account is automatically managed.
-
-- The virtual account can access the network in a domain environment.
-
-- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>.
-
-Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
-
-For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)).
-
-### Software requirements
-
-Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic.
-
-## See also
-
-
-The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts.
-
-| Content type | References |
-|---------------|-------------|
-| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
[Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) |
-| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
deleted file mode 100644
index 995d23b020..0000000000
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ /dev/null
@@ -1,448 +0,0 @@
----
-title: Special Identities (Windows 10)
-description: Special Identities
-ms.prod: m365-security
-ms.technology: windows-sec
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
-ms.date: 12/21/2021
-ms.reviewer:
----
-
-# Special Identities
-
-**Applies to**
-
-- Windows Server 2016 or later
-
-This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
-
-Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
-
-- Assign user rights to security groups in Active Directory.
-- Assign permissions to security groups for the purpose of accessing resources.
-
-Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
-
-Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource.
-
-For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
-
-The special identity groups are described in the following tables:
-
-- [Anonymous Logon](#anonymous-logon)
-- [Attested Key Property](#attested-key-property)
-- [Authenticated Users](#authenticated-users)
-- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity)
-- [Batch](#batch)
-- [Console Logon](#console-logon)
-- [Creator Group](#creator-group)
-- [Creator Owner](#creator-owner)
-- [Dialup](#dialup)
-- [Digest Authentication](#digest-authentication)
-- [Enterprise Domain Controllers](#enterprise-domain-controllers)
-- [Everyone](#everyone)
-- [Fresh Public Key Identity](#fresh-public-key-identity)
-- [Interactive](#interactive)
-- [IUSR](#iusr)
-- [Key Trust](#key-trust)
-- [Local Service](#local-service)
-- [LocalSystem](#localsystem)
-- [MFA Key Property](#mfa-key-property)
-- [Network](#network)
-- [Network Service](#network-service)
-- [NTLM Authentication](#ntlm-authentication)
-- [Other Organization](#other-organization)
-- [Owner Rights](#owner-rights)
-- [Principal Self](#principal-self)
-- [Proxy](#proxy)
-- [Remote Interactive Logon](#remote-interactive-logon)
-- [Restricted](#restricted)
-- [SChannel Authentication](#schannel-authentication)
-- [Service](#service)
-- [Service Asserted Identity](#service-asserted-identity)
-- [Terminal Server User](#terminal-server-user)
-- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
-
-## Anonymous Logon
-
-Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-7 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
-
-## Authentication Authority Asserted Identity
-
-A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-1 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
-
-## Everyone
-
-All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
-
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
-
-Membership is controlled by the operating system.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-1-0 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## LocalSystem
-
-This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-18 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
|
-
-## NTLM Authentication
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-5-64-10 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
|
-
-## Service Asserted Identity
-
-A SID that means the client's identity is asserted by a service.
-
-| Attribute | Value |
-| :--: | :--: |
-| Well-Known SID/RID | S-1-18-2 |
-|Object Class| Foreign Security Principal|
-|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
|
-
-## See also
-
-- [Active Directory Security Groups](active-directory-security-groups.md)
-
-- [Security Principals](security-principals.md)
-
-- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 631d982e36..d7987dc9bc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -70,6 +70,8 @@ If the error occurs again, check the error code against the following table to s
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
+| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.|
+
## Errors with unknown mitigation
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 1c56c04c1c..2fedb0e205 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -16,7 +16,7 @@ metadata:
ms.author: dansimp #Required; microsoft alias of author; optional team alias.
ms.date: 09/20/2021
localization_priority: Priority
-
+
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
landingContent:
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 2f384a46fc..09e60e2f2b 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive Logon Message text (Windows 10)
description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on.
ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte
**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in.
-**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
-
-Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
When these policy settings are configured, users will see a dialog box before they can sign in to the server console.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index ab20a8f979..b16fd3bff2 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -2,7 +2,7 @@
title: Interactive logon Message title for users attempting to log on (Windows 10)
description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on.
ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c
This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
-The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on.
-
-Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
+The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
When these policy settings are configured, users will see a dialog box before they can sign in the server console.
@@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th
### Best practices
-1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values:
+1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
- RESTRICTED SYSTEM
