diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 63c4203814..4fc670ee82 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15344,7 +15344,7 @@ }, { "source_path": "devices/surface/surface-dock-updater.md", - "redirect_url": "surface/surface-dock-firmware-update", + "redirect_url": "/surface/surface-dock-firmware-update", "redirect_document_id": true }, { diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index 7d21b8c921..75feb89fc2 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -20,8 +20,8 @@ The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/det To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md). ->[!IMPORTANT] ->Do not let the device go to sleep or interrupt the download of the image file. +> [!IMPORTANT] +> Do not let the device go to sleep or interrupt the download of the image file. If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub Support](https://support.microsoft.com/help/4037644/surface-contact-surface-warranty-and-software-support). @@ -77,10 +77,7 @@ Install Surface Hub Recovery Tool on the host PC. 5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md). - -~~~ -![Connect SSD](images/shrt-drive.png) -~~~ + ![Connect SSD](images/shrt-drive.png) 6. When the drive is recognized, click **Start** to begin the re-imaging process. On the warning that all data on the drive will be erased, click **OK**. diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 8330f2a9f5..d402397000 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -40,7 +40,6 @@ ### [Surface firmware and driver updates](update.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) - ## Secure ### [Manage Surface UEFI settings](manage-surface-uefi-settings.md) ### [Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md index 3e5de94680..7e007abc4e 100644 --- a/devices/surface/get-started.md +++ b/devices/surface/get-started.md @@ -66,7 +66,7 @@ Harness the power of Surface, Windows, and Office connected together through the

Manage

-

Optimizing Wi-Fi connectivity for Surface devices

+

Optimize Wi-Fi connectivity for Surface devices

Best practice power settings for Surface devices

Manage battery limit with UEFI

@@ -75,7 +75,6 @@ Harness the power of Surface, Windows, and Office connected together through the - -The data type is int. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. +The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. -**SetupScriptUrl** +**SetupScriptUrl** Address to the PAC script you want to use. The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. @@ -82,4 +82,55 @@ Valid values:
  • 1 - Do not use proxy server for local addresses
    • -The data type is int. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. +The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. + +# Configuration Example + +These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section. +```xml + + 1 + + + ./Vendor/MSFT/NetworkProxy/ProxySettingsPerUser + + + int + text/plain + + 0 + + +``` + +```xml + + 2 + + + ./Vendor/MSFT/NetworkProxy/AutoDetect + + + int + text/plain + + 1 + + +``` + +```xml + + 3 + + + ./Vendor/MSFT/NetworkProxy/SetupScriptUrl + + + chr + text/plain + + Insert the proxy PAC URL location here: + + +``` diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 09a9bad5ae..d6ed85073e 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,17 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 01/14/2019 +ms.date: 09/23/2019 ms.reviewer: manager: dansimp --- # Policy CSP - Storage -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -
    @@ -627,7 +623,10 @@ ADMX Info: -If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." +If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. + +> [!Note] +> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." Supported values: - 0 - Disable @@ -647,7 +646,10 @@ ADMX Info: +Example for setting the device custom OMA-URI setting to enable this policy: +To deny write access to removable storage within Intune’s custom profile, set OMA-URI to ```.\[device|user]\vendor\msft\policy\[config|result]\Storage/RemovableDiskDenyWriteAccess```, Data type to Integer, and Value to 1. +See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) for information on how to create custom profiles. diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 0e14ae0b89..e762a53ed9 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -1,315 +1,317 @@ ---- -title: Windows Autopilot for existing devices -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Windows Autopilot for existing devices - -**Applies to: Windows 10** - -Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. - -This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. - ->[!NOTE] ->Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. - -## Prerequisites - -- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) -- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later - - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. -- Assigned Microsoft Intune Licenses -- Azure Active Directory Premium -- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image - -## Procedures - -### Configure the Enrollment Status Page (optional) - -If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. - -To enable and configure the enrollment and status page: - -1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). -2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). -3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. - -See the following examples. - -![enrollment status page](images/esp-config.png)

    -![mdm](images/mdm-config.png) - -### Create the JSON file - ->[!TIP] ->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). - -1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window -2. Enter the following lines to install the necessary modules - - #### Install required modules - - ```powershell - Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force - Install-Module AzureAD -Force - Install-Module WindowsAutopilotIntune -Force - ``` - -3. Enter the following lines and provide Intune administrative credentials - - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. - - ```powershell - Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com - ``` - The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. -
    See the following example: - - ![Azure AD authentication](images/pwd.png) - - If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: - - Select **Consent on behalf or your organization** - - Click **Accept** - -4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: - - #### Retrieve profiles in Autopilot for existing devices JSON format - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON - ``` - - See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) - 
    -    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
-    {
-        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
-        "CloudAssignedForcedEnrollment":  1,
-        "Version":  2049,
-        "Comment_File":  "Profile Autopilot Profile",
-        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
-        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
-        "CloudAssignedDomainJoinMethod":  0,
-        "CloudAssignedOobeConfig":  28,
-        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
-    }
    - - Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. - - See the following table for a description of properties used in the JSON file. - - - | Property | Description | - |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | - | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | - | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | - | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | - | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | - | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
    0 = not required, 1 = required. | - | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | - | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
    Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | - | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | - - -5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) - - ```powershell - Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII - ``` - **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. - - If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. - - ![Notepad JSON](images/notepad.png) - - After saving the file, move the file to a location suitable as an SCCM package source. - - >[!IMPORTANT] - >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

    **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
    - - -### Create a package containing the JSON file - -1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** -2. On the ribbon, click **Create Package** -3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
    - - Name: **Autopilot for existing devices config** - - Select the **This package contains source files** checkbox - - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. - - Click **OK** and then click **Next**. - - Program Type: **Do not create a program** -4. Click **Next** twice and then click **Close**. - -**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. - -### Create a target collection - ->[!NOTE] ->You can also choose to reuse an existing collection - -1. Navigate to **\Assets and Compliance\Overview\Device Collections** -2. On the ribbon, click **Create** and then click **Create Device Collection** -3. In the **Create Device Collection Wizard** enter the following **General** details: - - Name: **Autopilot for existing devices collection** - - Comment: (optional) - - Limiting collection: Click **Browse** and select **All Systems** - - >[!NOTE] - >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. - -4. Click **Next**, then enter the following **Membership Rules** details: - - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. - - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. - - ![Named resource1](images/pc-01a.png) - ![Named resource2](images/pc-01b.png) - -5. Continue creating the device collection with the default settings: - - Use incremental updates for this collection: not selected - - Schedule a full update on this collection: default - - Click **Next** twice and then click **Close** - -### Create an Autopilot for existing devices Task Sequence - ->[!TIP] ->The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. - -1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** -2. On the Home ribbon, click **Create Task Sequence** -3. Select **Install an existing image package** and then click **Next** -4. In the Create Task Sequence Wizard enter the following details: - - Task sequence name: **Autopilot for existing devices** - - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) - - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. - - Select the **Partition and format the target computer before installing the operating system** checkbox. - - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. - - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. - - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. - - Enable the account and specify the local administrator password: Optional. - - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. - - >[!IMPORTANT] - >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. - -5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. -6. On the State Migration page, enter the following details: - - Clear the **Capture user settings and files** checkbox. - - Clear the **Capture network settings** checkbox. - - Clear the **Capture Microsoft Windows settings** checkbox. - - Click **Next**. - - >[!NOTE] - >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. - -7. On the Include Updates page, choose one of the three available options. This selection is optional. -8. On the Install applications page, add applications if desired. This is optional. -9. Click **Next**, confirm settings, click **Next** and then click **Close**. -10. Right click on the Autopilot for existing devices task sequence and click **Edit**. -11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. -12. Click **Add** then click **New Group**. -13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. -14. Click **Add**, point to **General**, then click **Run Command Line**. -15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. -16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: - ``` - cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c - ``` - - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. - -17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. -18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. -19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. -20. Click **Add** and then click **New Group**. -21. Change **Name** from **New Group** to **Prepare Device for Autopilot** -22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. -23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. -24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: - - Automatically build mass storage driver list: **Not selected** - - Do not reset activation flag: **Not selected** - - Shutdown the computer after running this action: **Optional** - - ![Autopilot task sequence](images/ap-ts-1.png) - -25. Click **OK** to close the Task Sequence Editor. - -### Deploy Content to Distribution Points - -Next, ensure that all content required for the task sequence is deployed to distribution points. - -1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. -2. Click **Next**, **Review the content to distribute** and then click **Next**. -3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. -4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. -5. When you are finished specifying content distribution, click **Next** twice then click **Close**. - -### Deploy the OS with Autopilot Task Sequence - -1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. -2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: - - Task Sequence: **Autopilot for existing devices**. - - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). - - Click **Next** to specify **Deployment Settings**. - - Action: **Install**. - - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. - - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. - - Click **Next** to specify **Scheduling** details. - - Schedule when this deployment will become available: Optional - - Schedule when this deployment will expire: Optional - - Click **Next** to specify **User Experience** details. - - Show Task Sequence progress: Selected. - - Software Installation: Not selected. - - System restart (if required to complete the installation): Not selected. - - Commit changed at deadline or during a maintenance windows (requires restart): Optional. - - Allow task sequence to be run for client on the Internet: Optional - - Click **Next** to specify **Alerts** details. - - Create a deployment alert when the threshold is higher than the following: Optional. - - Click **Next** to specify **Distribution Points** details. - - Deployment options: **Download content locally when needed by the running task sequence**. - - When no local distribution point is available use a remote distribution point: Optional. - - Allow clients to use distribution points from the default site boundary group: Optional. - - Click **Next**, confirm settings, click **Next**, and then click **Close**. - -### Complete the client installation process - -1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: - - ``` - C:\Windows\CCM\SCClient.exe - ``` - -2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: - - ![Named resource2](images/sc.png) - ![Named resource2](images/sc1.png) - -The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. - -![refresh-1](images/up-1.png) -![refresh-2](images/up-2.png) -![refresh-3](images/up-3.png) - ->[!NOTE] ->If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. - -### Register the device for Windows Autopilot - -Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). - -Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). - -## Speeding up the deployment process - -To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). +--- +title: Windows Autopilot for existing devices +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Windows Autopilot for existing devices + +**Applies to: Windows 10** + +Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. + +This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot. + +>[!NOTE] +>Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-deploying profiles are not supported. + +## Prerequisites + +- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. +- Assigned Microsoft Intune Licenses +- Azure Active Directory Premium +- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image + - **Important**: See [Known issues](known-issues.md) if you are using Windows 10 1903 with Configuration Manager’s built-in **Windows Autopilot existing device** task sequence template. Currently, one of the steps in this task sequence must be edited to work properly with Windows 10, version 1903. + +## Procedures + +### Configure the Enrollment Status Page (optional) + +If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. + +To enable and configure the enrollment and status page: + +1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). +2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. + +See the following examples. + +![enrollment status page](images/esp-config.png)

    +![mdm](images/mdm-config.png) + +### Create the JSON file + +>[!TIP] +>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). + +1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +2. Enter the following lines to install the necessary modules + + #### Install required modules + + ```powershell + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force + Install-Module AzureAD -Force + Install-Module WindowsAutopilotIntune -Force + ``` + +3. Enter the following lines and provide Intune administrative credentials + - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + + ```powershell + Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com + ``` + The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. +
    See the following example: + + ![Azure AD authentication](images/pwd.png) + + If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: + - Select **Consent on behalf or your organization** + - Click **Accept** + +4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: + + #### Retrieve profiles in Autopilot for existing devices JSON format + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON + ``` + + See the following sample output: (use the horizontal scroll bar at the bottom to view long lines) + 
    +    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
+    {
+        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
+        "CloudAssignedForcedEnrollment":  1,
+        "Version":  2049,
+        "Comment_File":  "Profile Autopilot Profile",
+        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
+        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
+        "CloudAssignedDomainJoinMethod":  0,
+        "CloudAssignedOobeConfig":  28,
+        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
+    }
    + + Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. + + See the following table for a description of properties used in the JSON file. + + + | Property | Description | + |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | + | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | + | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
    0 = not required, 1 = required. | + | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. | + | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
    Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}" | + | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | + + +5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed to view the entire command string) + + ```powershell + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII + ``` + **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. + + If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. + + ![Notepad JSON](images/notepad.png) + + After saving the file, move the file to a location suitable as an SCCM package source. + + >[!IMPORTANT] + >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

    **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
    + + +### Create a package containing the JSON file + +1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** +2. On the ribbon, click **Create Package** +3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
    + - Name: **Autopilot for existing devices config** + - Select the **This package contains source files** checkbox + - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. + - Click **OK** and then click **Next**. + - Program Type: **Do not create a program** +4. Click **Next** twice and then click **Close**. + +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. + +### Create a target collection + +>[!NOTE] +>You can also choose to reuse an existing collection + +1. Navigate to **\Assets and Compliance\Overview\Device Collections** +2. On the ribbon, click **Create** and then click **Create Device Collection** +3. In the **Create Device Collection Wizard** enter the following **General** details: + - Name: **Autopilot for existing devices collection** + - Comment: (optional) + - Limiting collection: Click **Browse** and select **All Systems** + + >[!NOTE] + >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. + +4. Click **Next**, then enter the following **Membership Rules** details: + - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + + ![Named resource1](images/pc-01a.png) + ![Named resource2](images/pc-01b.png) + +5. Continue creating the device collection with the default settings: + - Use incremental updates for this collection: not selected + - Schedule a full update on this collection: default + - Click **Next** twice and then click **Close** + +### Create an Autopilot for existing devices Task Sequence + +>[!TIP] +>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. + +1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** +2. On the Home ribbon, click **Create Task Sequence** +3. Select **Install an existing image package** and then click **Next** +4. In the Create Task Sequence Wizard enter the following details: + - Task sequence name: **Autopilot for existing devices** + - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) + - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. + - Select the **Partition and format the target computer before installing the operating system** checkbox. + - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Product Key and Server licensing mode: Optionally enter a product key and server licensing mode. + - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. + - Enable the account and specify the local administrator password: Optional. + - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. + + >[!IMPORTANT] + >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. + +5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +6. On the State Migration page, enter the following details: + - Clear the **Capture user settings and files** checkbox. + - Clear the **Capture network settings** checkbox. + - Clear the **Capture Microsoft Windows settings** checkbox. + - Click **Next**. + + >[!NOTE] + >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined or hybrid AAD joined devices. + +7. On the Include Updates page, choose one of the three available options. This selection is optional. +8. On the Install applications page, add applications if desired. This is optional. +9. Click **Next**, confirm settings, click **Next** and then click **Close**. +10. Right click on the Autopilot for existing devices task sequence and click **Edit**. +11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. +12. Click **Add** then click **New Group**. +13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. +14. Click **Add**, point to **General**, then click **Run Command Line**. +15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. +16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: + ``` + cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c + ``` + - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. + +17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. +18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. +19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. +20. Click **Add** and then click **New Group**. +21. Change **Name** from **New Group** to **Prepare Device for Autopilot** +22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. +23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. +24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: + - Automatically build mass storage driver list: **Not selected** + - Do not reset activation flag: **Not selected** + - Shutdown the computer after running this action: **Optional** + + ![Autopilot task sequence](images/ap-ts-1.png) + +25. Click **OK** to close the Task Sequence Editor. + +### Deploy Content to Distribution Points + +Next, ensure that all content required for the task sequence is deployed to distribution points. + +1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. +2. Click **Next**, **Review the content to distribute** and then click **Next**. +3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. +4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +5. When you are finished specifying content distribution, click **Next** twice then click **Close**. + +### Deploy the OS with Autopilot Task Sequence + +1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. +2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: + - Task Sequence: **Autopilot for existing devices**. + - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). + - Click **Next** to specify **Deployment Settings**. + - Action: **Install**. + - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. + - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. + - Click **Next** to specify **Scheduling** details. + - Schedule when this deployment will become available: Optional + - Schedule when this deployment will expire: Optional + - Click **Next** to specify **User Experience** details. + - Show Task Sequence progress: Selected. + - Software Installation: Not selected. + - System restart (if required to complete the installation): Not selected. + - Commit changed at deadline or during a maintenance windows (requires restart): Optional. + - Allow task sequence to be run for client on the Internet: Optional + - Click **Next** to specify **Alerts** details. + - Create a deployment alert when the threshold is higher than the following: Optional. + - Click **Next** to specify **Distribution Points** details. + - Deployment options: **Download content locally when needed by the running task sequence**. + - When no local distribution point is available use a remote distribution point: Optional. + - Allow clients to use distribution points from the default site boundary group: Optional. + - Click **Next**, confirm settings, click **Next**, and then click **Close**. + +### Complete the client installation process + +1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: + + ![Named resource2](images/sc.png) + ![Named resource2](images/sc1.png) + +The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. + +![refresh-1](images/up-1.png) +![refresh-2](images/up-2.png) +![refresh-3](images/up-3.png) + +>[!NOTE] +>If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-based targeting). See [User-driven mode for hybrid Azure Active Directory join](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven#user-driven-mode-for-hybrid-azure-active-directory-join) for more information. + +### Register the device for Windows Autopilot + +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). + +Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). + +## Speeding up the deployment process + +To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 9ba16cd6f9..b2de8f53ee 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -25,9 +25,15 @@ ms.topic: article
    IssueMore information -
    The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019: - -- TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed). +
    Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen. +
     
    +This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file. +    		To fix this issue:
    1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step. +
    2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
    +More information +
    The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019. +
     
    +TPM attestation fails on Windows 10 1903 due to missing AKI extension in EK certificate. (An additional validation added in Windows 10 1903 to check that the TPM EK certs had the proper attributes according to the TCG specifications uncovered that a number of them don’t, so that validation will be removed).     		Download and install the KB4517211 update.

    This update is currently pending release.
    The following known issues are resolved by installing the August 30, 2019 KB4512941 update (OS Build 18362.329): diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index 384a08226e..7b62868ba2 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,7 @@ sections: text: " + diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 70736626cc..eaedfb4d15 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -121,7 +121,7 @@ #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) -##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md) +##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 9561fe831c..0af9f2e7a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -1,16 +1,16 @@ --- -title: Create custom detection rules in Microsoft Defender ATP +title: Create and manage custom detection rules in Microsoft Defender ATP ms.reviewer: -description: Learn how to create custom detections rules based on advanced hunting queries -keywords: create custom detections, detections, advanced hunting, hunt, detect, query +description: Learn how to create and manage custom detections rules based on advanced hunting queries +keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,53 +19,86 @@ ms.topic: article --- -# Create custom detections rules +# Create and manage custom detections rules **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found. +Custom detection rules built from [Advanced hunting](overview-hunting.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. >[!NOTE] ->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting. +>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -1. In the navigation pane, select **Advanced hunting**. +## Create a custom detection rule +### 1. Prepare the query. -2. Select an existing query that you'd like to base the monitor on or create a new query. +In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results. -3. Select **Create detection rule**. +>[!NOTE] +>To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Queries that don’t use the `project` operator to customize results usually return these common columns. -4. Specify the alert details: +### 2. Create new rule and provide alert details. - - Alert title - - Severity - - Category - - Description - - Recommended actions +With the query in the query editor, select **Create detection rule** and specify the following alert details: -5. Click **Create**. +- **Alert title** +- **Severity** +- **Category** +- **Description** +- **Recommended actions** -> [!TIP] -> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.
    -> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours.
    -> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours. +For more information about these alert details, [read about managing alerts](manage-alerts.md). + +### 3. Specify actions on files or machines. +Your custom detection rule can automatically take actions on files or machines that are returned by the query. + +#### Actions on machines +These actions are applied to machines in the `MachineId` column of the query results: +- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) +- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) +- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine +- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine + +#### Actions on files +These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: +- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule. +- **Quarantine file** — deletes the file from its current location and places a copy in quarantine + +### 4. Click **Create** to save and turn on the rule. +When saved, the custom detection rule immediately runs. It runs again every 24 hours to check for matches, generate alerts, and take response actions. ## Manage existing custom detection rules -View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules. +In **Settings** > **Custom detections**, you can view the list of existing custom detection rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. -1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections created in the system. +### View existing rules -2. Select one of the rules to take any of the following actions: - - Open related alerts - See all the alerts that were raised based to this rule - - Run - Run the selected detection immediately. +To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information: - > [!NOTE] - > The next run for the query will be in 24 hours after the last run. - - - Edit - Modify the settings of the rule. - - Modify query - View and edit the query itself. - - Turn off - Stop the query from running. - - Delete +- **Last run** — when a rule was last run to check for query matches and generate alerts +- **Last run status** — whether a rule ran successfully +- **Next run** — the next scheduled run +- **Status** — whether a rule has been turned on or off +### View rule details, modify rule, and run rule + +To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. This opens a page about the custom detection rule with the following information: + +- General information about the rule, including the details of the alert, run status, and scope +- List of triggered alerts +- List of triggered actions + +![Custom detection rule page](images/atp-custom-detection-rule-details.png)
    +*Custom detection rule page* + +You can also take the following actions on the rule from this page: + +- **Run** — run the rule immediately. This also resets the interval for the next run. +- **Edit** — modify the rule without changing the query +- **Modify query** — edit the query in Advanced hunting +- **Turn on** / **Turn off** — enable the rule or stop it from running +- **Delete** — turn off the rule and remove it + +>[!TIP] +>To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table. ## Related topic - [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png new file mode 100644 index 0000000000..65ecd31a2a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 9579771415..8398ee9986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -1,16 +1,16 @@ --- -title: Custom detections overview +title: Overview of custom detections in Microsoft Defender ATP ms.reviewer: -description: Understand how you can leverage the power of advanced hunting to create custom detections -keywords: custom detections, detections, advanced hunting, hunt, detect, query +description: Understand how you can use Advanced hunting to create custom detections and generate alerts +keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -23,18 +23,16 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. -Alerts in Microsoft Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious events or emerging threats. +Custom detections work with [Advanced hunting](overview-hunting.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. The queries run every 24 hours, generating alerts and taking response actions whenever there are matches. -This can be done by leveraging the power of [Advanced hunting](overview-hunting.md) through the creation of custom detection rules. -Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Microsoft Defender Security Center. These alerts will be treated like any other alert in the system. - -This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats. +Custom detections provide: +- Alerts from rule-based detections built from Advanced hunting queries +- Automatic response actions that apply to files and machines >[!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. ## Related topic -- [Create custom detection rules](custom-detection-rules.md) - - +- [Create and manage custom detection rules](custom-detection-rules.md) \ No newline at end of file
    MessageDate
    Advisory: Scripting Engine Memory Corruption Vulnerability (CVE-2019-1367)
    On September 23, 2019, Microsoft released a security update to address a remote code execution vulnerability in the way the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user permissions as the current user. For example, if a user is logged on with administrative rights, an attacker could take control of an affected system and install programs; view, change, or delete data; or create new accounts with full user rights. Alternatively, an attacker could host a specially crafted website targeting Internet Explorer and then entice a user to open web page or a malicious document attached to an e-mail. For more information about the vulnerability, see the Microsoft Security Guide CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability
     
    Mitigation for this vulnerability is available from the Microsoft Security Update Guide. For the best protection, we recommend you apply the latest Windows updates and follow security best practices and do not open attachments or documents from an untrusted source. For more information about the vulnerability, see the Microsoft Security Guide: CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability
    		September 22, 2019
    11:00 AM PT
    Status of September 2019 “C” release
    The optional monthly “C” release for September 2019 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
    		September 19, 2019
    04:11 PM PT
    Plan for change: End of service reminders for Windows 10, versions 1703 and 1803
    The Enterprise and Education editions of Windows 10, version 1703 (the Creators Update) will reach end of service on October 8, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions of Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019. We recommend that you update devices running these versions and editions to the latest version of Windows 10—Windows 10, version 1903—as soon as possible to help keep them protected and your environments secure.
    		September 13, 2019
    03:23 PM PT
    September 2019 security update available for all supported versions of Windows
    The September 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
    		September 10, 2019
    09:34 AM PT